security_tracker: receive valid signing keys and verify git commits

Ensure we only allow to dpeloy commits that were signed with keys we mark as trusted signing keys for the security tracker.

security_tracker: receive valid signing keys and verify git commits
Ensure we only allow to dpeloy commits that were signed with keys we mark as trusted signing keys for the security tracker.
df1b75d8 · Levente Polyak · c91f4cf5 · df1b75d8
Verified Commit df1b75d8 authored Sep 26, 2019 by Levente Polyak 🚀
--- a/roles/security_tracker/tasks/main.yml
+++ b/roles/security_tracker/tasks/main.yml
@@ -48,8 +48,15 @@
  service: name="security-tracker-update.timer" enabled=no state=stopped
  when: maintenance is defined

+- name: receive valid signing keys
+  become: true
+  become_user: security
+  command: /usr/bin/gpg --keyserver keys.openpgp.org --recv "{{ item }}"
+  with_items:
+    - E240B57E2C4630BA768E2F26FC1B547C8D8172C8
+
 - name: clone security-tracker repo
-  git: repo=https://github.com/archlinux/arch-security-tracker.git version="{{ security_tracker_version }}" dest="{{ security_tracker_dir }}" force=true
+  git: repo=https://github.com/archlinux/arch-security-tracker.git version="{{ security_tracker_version }}" dest="{{ security_tracker_dir }}" force=true verify_commit=true
  become: true
  become_user: security
  register: release