Verified Commit df1b75d8 authored by Levente Polyak's avatar Levente Polyak 🚀
Browse files

security_tracker: receive valid signing keys and verify git commits

Ensure we only allow to dpeloy commits that were signed with keys we
mark as trusted signing keys for the security tracker.
parent c91f4cf5
......@@ -48,8 +48,15 @@
service: name="security-tracker-update.timer" enabled=no state=stopped
when: maintenance is defined
- name: receive valid signing keys
become: true
become_user: security
command: /usr/bin/gpg --keyserver keys.openpgp.org --recv "{{ item }}"
with_items:
- E240B57E2C4630BA768E2F26FC1B547C8D8172C8
- name: clone security-tracker repo
git: repo=https://github.com/archlinux/arch-security-tracker.git version="{{ security_tracker_version }}" dest="{{ security_tracker_dir }}" force=true
git: repo=https://github.com/archlinux/arch-security-tracker.git version="{{ security_tracker_version }}" dest="{{ security_tracker_dir }}" force=true verify_commit=true
become: true
become_user: security
register: release
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment