Project signing with GPG and ansible-sign

How to sign an Ansible project?

From a non-signed to a GPG-signed Ansible project.

I'm going to show you a live Playbook with some simple Ansible code.

I'm Luca Berton, and welcome to today's episode of Ansible Pilot.

ansible-sign

available since 2022

GPG signature

command line

The ansible-sign command has been available since 2022 for installation in the most modern operating system.

It is a command line tool so simplify the Project signing process using your terminal.

Using the ansible-sign command, you sign a project using a GPG signature.

Playbook

GPG sign a project

I'm going to show you how to sign an Ansible project using the ansible-sign command line utility.

At the beginning of this example, we start with a project with all our Ansible files without any GPG signature files.

By the end of this Playbook, you are obtaining a GPG-signed project directory.

Project directory files:

playbooks/ping.yml

``yaml


---
name: ping module Playbook
  hosts: all
  tasks:
    - name: test connection
      ansible.builtin.ping:



inventory

`ini


localhost ansible_connection=local



MANIFEST.in

`ini


recursive-exclude .git *
include inventory
recursive-include playbooks *.yml



1. install ansible-sign

Verify if the ansible-sign command is available in your terminal. When you obtain a command not found error, you should install it.

`bash


$ ansible-sign
command not found: ansible-sign



When the package is not available on our favorite package manager (apt, DNF, yum, zypper, brew, conda), we can rely on the PIP Python package manager:

$ pip3 install ansible-sign


Expected output:

`bash


$ pip3 install ansible-sign
Collecting ansible-sign
  Downloading ansible_sign-0.1.1-py3-none-any.whl (15 kB)
Requirement already satisfied: distlib in /opt/homebrew/lib/python3.10/site-packages (from ansible-sign) (0.3.6)
Requirement already satisfied: python-gnupg in /opt/homebrew/lib/python3.10/site-packages (from ansible-sign) (0.5.0)
Installing collected packages: ansible-sign
Successfully installed ansible-sign-0.1.1



By the end of this step, the command will be available with the following output:

`bash


$ ansible-sign
usage: ansible-sign [-h] [--version] [--debug] [--nocolor] CONTENT_TYPE ...
ansible-sign: error: the following arguments are required: CONTENT_TYPE



2. create a MANIFEST.in file

When the MANIFEST.in file is not present, we obtain the following message on the screen:

`bash


$ ansible-sign project gpg-sign .
[ERROR] Could not find a MANIFEST.in file in the specified project.
[NOTE ] If you are attempting to sign a project, please create this file.
[NOTE ] See the ansible-sign documentation for more information.



When some parts of the MANIFEST.in file is not correct; we obtain the following error on the screen:

``bash

[ERROR] An error was encountered while parsing MANIFEST.in: 'recursive-include' expects <dir> <pattern1> <pattern2> ...

[NOTE ] You can use the --de