Project signing with GPG and ansible-sign — Video Tutorial

How to sign an Ansible project? From a non-signed to a GPG-signed Ansible project. I'm going to show you a live Playbook with some simple Ansible code. I'm Luca Berton, and welcome to today's episode of Ansible Pilot. ansible-sign - available since 2022 - GPG signature - command line The `ansible-sign` command has been available since 2022 for installation in the most modern operating system. It is a command line tool so simplify the Project signing process using your terminal. Using the `ansible-sign` command, you sign a project using a GPG signature. Playbook - GPG sign a project I'm going to show you how to sign an Ansible project using the `ansible-sign` command line utility. At the beginning of this example, we start with a project with all our Ansible files without any GPG signature files. By the end of this Playbook, you are obtaining a GPG-signed project directory. Project directory files: - playbooks/ping.yml ```yaml --- - name: ping module Playbook hosts: all tasks: - name: test connection ansible.builtin.ping: ``` - inventory ```ini localhost ansible_connection=local ``` - MANIFEST.in ```ini recursive-exclude .git * include inventory recursive-include playbooks *.yml ``` 1. install ansible-sign Verify if the `ansible-sign` command is available in your terminal. When you obtain a command not found error, you should install it. ```bash $ ansible-sign command not found: ansible-sign ``` When the package is not available on our favorite package manager (apt, DNF, yum, zypper, brew, conda), we can rely on the PIP Python package manager: `$ pip3 install ansible-sign` Expected output: ```bash $ pip3 install ansible-sign Collecting ansible-sign Downloading ansible_sign-0.1.1-py3-none-any.whl (15 kB) Requirement already satisfied: distlib in /opt/homebrew/lib/python3.10/site-packages (from ansible-sign) (0.3.6) Requirement already satisfied: python-gnupg in /opt/homebrew/lib/python3.10/site-packages (from ansible-sign) (0.5.0) Installing collected packages: ansible-sign Successfully installed ansible-sign-0.1.1 ``` By the end of this step, the command will be available with the following output: ```bash $ ansible-sign usage: ansible-sign [-h] [--version] [--debug] [--nocolor] CONTENT_TYPE ... ansible-sign: error: the following arguments are required: CONTENT_TYPE ``` 2. create a MANIFEST.in file When the MANIFEST.in file is not present, we obtain the following message on the screen: ```bash $ ansible-sign project gpg-sign . [ERROR] Could not find a MANIFEST.in file in the specified project. [NOTE ] If you are attempting to sign a project, please create this file. [NOTE ] See the ansible-sign documentation for more information. ``` When some parts of the MANIFEST.in file is not correct; we obtain the following error on the screen: ```bash [ERROR] An error was encountered while parsing MANIFEST.in: 'recursive-include' expects ... [NOTE ] You can use the --debug global flag t