Project signature verification with GPG and ansible-sign — Video Tutorial

How to verify an Ansible project signature? A step to step guide to verify the signature using the `ansible-sign` of a GPG-signed Ansible project. I'm going to show you a live Playbook with some simple Ansible code. I'm Luca Berton, and welcome to today's episode of Ansible Pilot. ansible-sign - available since 2022 - command line - GPG signature The `ansible-sign` command has been available since 2022 for installation in the most modern operating system. It is a command line tool so simplify the Project signing process using your terminal. Using the `ansible-sign` command, we can verify the GPG signature of an Ansible project. Playbook - GPG sign verification a project I'm going to show you how to verify the signature of an Ansible project using the ansible-sign command line utility. At the beginning of this example, we start with a project with all our Ansible files already signed with a GPG signature. By the end of this Playbook, we will verify if the signature is correct for the current Ansible project directory. Project directory files: - playbooks/ping.yml ```bash --- - name: ping module Playbook hosts: all tasks: - name: test connection ansible.builtin.ping: ``` - inventory ``` localhost ansible_connection=local ``` - MANIFEST.in ```bash recursive-exclude .git * include inventory recursive-include playbooks *.yml ``` Project signature files: - `.ansible-sign/sha256sum.txt` ```bash 8fda56fd3288141367f151fcaf8e3fca5d4b46cfe3ba7d8dfc66b17205284efd MANIFEST.in 49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763 inventory 1c666ccae8a05445d2c8b36341dec1671093999d995944e2ecdce671fc474f7c playbooks/ping.yml ``` - `.ansible-sign/sha256sum.txt.sig` ```bash -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQRFr0MY44L/nHcn7m7siNPNNZbCMAUCY8KpMQAKCRDsiNPNNZbC MJvaAP97QUbnymXHaco5ZnF6vrReOc/7C7e8YDxSfh+6fsjbPAEAsnk4t4jTihkm O15QNa+3EwelTLjjeZkHfFyY1YPD6QE= =4rnz -----END PGP SIGNATURE----- ``` 1. install ansible-sign Verify if the ansible-sign command is available in your terminal. When you obtain a command not found error, you should install it. ```bash $ ansible-sign command not found: ansible-sign ``` When the package is not available on our favorite package manager (apt, DNF, yum, zypper, brew, conda), we can rely on the PIP Python package manager: `$ pip3 install ansible-sign` Expected output: ```bash $ pip3 install ansible-sign Collecting ansible-sign Downloading ansible_sign-0.1.1-py3-none-any.whl (15 kB) Requirement already satisfied: distlib in /opt/homebrew/lib/python3.10/site-packages (from ansible-sign) (0.3.6) Requirement already satisfied: python-gnupg in /opt/homebrew/lib/python3.10/site-packages (from ansible-sign) (0.5.0) Installing collected packages: ansible-sign Successfully installed ansible-sign-0.1.1 ``` By the end of this step, the command will be available with the following output: ```bash $ ansible-sign usage: ansible-sign [-h] [--version] [--debug] [--nocolor] CONTENT