aurweb: Verify the commit is signed with Kevin's PGP key

c2b1d1f4 · Kristian Klausen · 0eb112c6 · c2b1d1f4 · c2b1d1f4
Commit c2b1d1f4 authored 3 years ago by Kristian Klausen
--- a/roles/aurweb/defaults/main.yml
+++ b/roles/aurweb/defaults/main.yml
@@ -9,6 +9,7 @@ aurweb_git_dir: "{{ aurweb_dir }}/aur.git"
 aurweb_git_hook: '/usr/local/bin/aurweb-git-update'
 aurweb_nginx_conf: '/etc/nginx/nginx.d/aurweb.conf'
 aurweb_version: 'live'
+aurweb_pgp_keys: ['0F985B6F99B6686854C44EC3F7E46DED420788F3']

 aurweb_db: 'aur'
 aurweb_db_host: 'localhost'

--- a/roles/aurweb/tasks/main.yml
+++ b/roles/aurweb/tasks/main.yml
@@ -32,11 +32,21 @@
 - name: Create directory
  file: path={{ aurweb_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775

+- name: receive valid signing keys
+  command: /usr/bin/gpg --keyserver keys.openpgp.org --recv {{ item }}
+  loop: '{{ aurweb_pgp_keys }}'
+  become: true
+  become_user: "{{ aurweb_user }}"
+  register: gpg
+  changed_when: "gpg.rc == 0"
+
 - name: clone aurweb repo
  git: >
    repo={{ aurweb_repository }}
    dest="{{ aurweb_dir }}"
    version={{ aurweb_version }}
+    verify_commit: true
+    gpg_whitelist: '{{ aurweb_pgp_keys }}'
  become: true
  become_user: "{{ aurweb_user }}"
  register: release