Loading...

Watch: Project signature verification with GPG and ansible-sign

Learn how to GPG-sign an Ansible project using the ansible-sign command line tool. Watch a live Playbook by Luca Berton and transform your project from non-signed to securely signed.

How to verify an Ansible project signature?

A step to step guide to verify the signature using the ansible-sign of a GPG-signed Ansible project.

I'm going to show you a live Playbook with some simple Ansible code.

I'm Luca Berton, and welcome to today's episode of Ansible Pilot.

ansible-sign

  • available since 2022
  • command line
  • GPG signature

The ansible-sign command has been available since 2022 for installation in the most modern operating system.

It is a command line tool so simplify the Project signing process using your terminal.

Using the ansible-sign command, we can verify the GPG signature of an Ansible project.

Playbook

  • GPG sign verification a project

I'm going to show you how to verify the signature of an Ansible project using the ansible-sign command line utility.

At the beginning of this example, we start with a project with all our Ansible files already signed with a GPG signature.

By the end of this Playbook, we will verify if the signature is correct for the current Ansible project directory.

Project directory files:

  • playbooks/ping.yml

``bash

---

  • name: ping module Playbook

hosts: all

tasks:

- name: test connection

ansible.builtin.ping:

`

  • inventory

`

localhost ansible_connection=local

`

  • MANIFEST.in

`bash

recursive-exclude .git *

include inventory

recursive-include playbooks *.yml

`

Project signature files:

  • .ansible-sign/sha256sum.txt

`bash

8fda56fd3288141367f151fcaf8e3fca5d4b46cfe3ba7d8dfc66b17205284efd MANIFEST.in

49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763 inventory

1c666ccae8a05445d2c8b36341dec1671093999d995944e2ecdce671fc474f7c playbooks/ping.yml

`

  • .ansible-sign/sha256sum.txt.sig

`bash

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQRFr0MY44L/nHcn7m7siNPNNZbCMAUCY8KpMQAKCRDsiNPNNZbC

MJvaAP97QUbnymXHaco5ZnF6vrReOc/7C7e8YDxSfh+6fsjbPAEAsnk4t4jTihkm

O15QNa+3EwelTLjjeZkHfFyY1YPD6QE=

=4rnz

-----END PGP SIGNATURE-----

`

1. install ansible-sign

Verify if the ansible-sign command is available in your terminal. When you obtain a command not found error, you should install it.

`bash

$ ansible-sign

command not found: ansible-sign

`

When the package is not available on our favorite package manager (apt, DNF, yum, zypper, brew, conda), we can rely on the PIP Python package manager:

$ pip3 install ansible-sign

Expected output:

``bash

$ pip3 install ansible-sign

Collecting ansible-sign

Downloading ansible_sign-0.1.1-py3-no

Read the full tutorial: Project signature verification with GPG and ansible-sign