From c2b1d1f4baa432d3b78cd26cf6961e1bd60ec8d1 Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Mon, 7 Feb 2022 23:13:55 +0100
Subject: [PATCH] aurweb: Verify the commit is signed with Kevin's PGP key

---
 roles/aurweb/defaults/main.yml |  1 +
 roles/aurweb/tasks/main.yml    | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/roles/aurweb/defaults/main.yml b/roles/aurweb/defaults/main.yml
index b4e2669a5..f5f5f2141 100644
--- a/roles/aurweb/defaults/main.yml
+++ b/roles/aurweb/defaults/main.yml
@@ -9,6 +9,7 @@ aurweb_git_dir: "{{ aurweb_dir }}/aur.git"
 aurweb_git_hook: '/usr/local/bin/aurweb-git-update'
 aurweb_nginx_conf: '/etc/nginx/nginx.d/aurweb.conf'
 aurweb_version: 'live'
+aurweb_pgp_keys: ['0F985B6F99B6686854C44EC3F7E46DED420788F3']
 
 aurweb_db: 'aur'
 aurweb_db_host: 'localhost'
diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml
index 01c637afe..5691b605f 100644
--- a/roles/aurweb/tasks/main.yml
+++ b/roles/aurweb/tasks/main.yml
@@ -32,11 +32,21 @@
 - name: Create directory
   file: path={{ aurweb_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775
 
+- name: receive valid signing keys
+  command: /usr/bin/gpg --keyserver keys.openpgp.org --recv {{ item }}
+  loop: '{{ aurweb_pgp_keys }}'
+  become: true
+  become_user: "{{ aurweb_user }}"
+  register: gpg
+  changed_when: "gpg.rc == 0"
+
 - name: clone aurweb repo
   git: >
     repo={{ aurweb_repository }}
     dest="{{ aurweb_dir }}"
     version={{ aurweb_version }}
+    verify_commit: true
+    gpg_whitelist: '{{ aurweb_pgp_keys }}'
   become: true
   become_user: "{{ aurweb_user }}"
   register: release
-- 
GitLab