Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

New parser: gpg

See original GitHub issue

The gpg command has a machine readable output format, see this Stackoverflow comment and the one after it, for example (you can also add -vv for a more verbose output):

gpg --with-colons --show-keys /usr/share/keyrings/debian-archive-bullseye-stable.gpg 
pub:-:4096:1:605C66F00D6C9793:1613238862:1865526862::-:::scSC::::::23::0:
fpr:::::::::A4285295FC7B1A81600062A9605C66F00D6C9793:
uid:-::::1613238862::2C045EB517DDC06A1FC747D1E310AD33A8CB50E4::Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>::::::::::0:

The above command can currently be used via Ansible to check keys, for example for Docker:

- name: Set a variable for the Docker GPG fingerprint 
  ansible.builtin.set_fact:
    docker_gpg_fingerprint: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88

- name: Docker GPG key present
  ansible.builtin.get_url:
    url: "https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg"
    dest: /etc/apt/keyrings/docker.asc
    mode: 0644
    owner: root
    group: root

- name: Docker GPG key check command
  ansible.builtin.command: gpg --with-colons --show-keys -v /etc/apt/keyrings/docker.asc
  check_mode: false
  changed_when: false
  register: docker_gpg

- name: Docker GPG key checked
  ansible.builtin.assert:
    that:
      - docker_gpg_fingerprint in docker_gpg.stdout

Which is fine, but it could be nicer – would this be a suitable command to consider for a jc parser?

Issue Analytics

State:
Created a year ago
Comments:13 (13 by maintainers)

Top GitHub Comments

1reaction

chriscroomecommented, Jul 6, 2022

For reference for anyone else using Ansible and JC to check GPG signatures this is the JMESPath query you need to use to get the fingerprints:

- name: Docker gpg key check command
  ansible.builtin.command: gpg --with-colons --show-keys /etc/apt/keyrings/docker.gpg
  register: docker_gpg

- name: Set a fact for the GPG fingerprints
  ansible.builtin.set_fact:
    docker_gpg_fingerprints: "{{ docker_gpg.stdout | community.general.jc('gpg') | community.general.json_query('[?type==`fpr`].user_id') | list }}"

The first fingerprint in the array is the one for the main key and any additional ones are from sub-keys.

See the tasks here for a full example.

1reaction

kellyjonbrazilcommented, Jul 6, 2022

Cool - I have the SHA256SUMS but haven’t published them since I didn’t know a secure way. That makes sense - if I sign the file, then I can just add the SHA256SUMS file to the releases. I haven’t really used GPG before. I’ll look into it. Thanks again!

Top Results From Across the Web

unusualbob/gpgKeylistParser: A utility for parsing gpg --list ...

This is a basic parser for the GPG --list-sigs and --list-keys outputs that use --with-colons format. Format reference used was this: https ...

Source code for gnupg._parsers - PythonHosted.org

'''Classes for parsing GnuPG status messages and sanitising commandline options ... If we want to support a new option, it will need to...

Release Notes - GnuPG

New sub-option no-repair-keys for –import-options. ... gpg: Changed the key parser to generalize the processing of local meta data packets.

The GnuPG blog

The task of Libksba is to parse and build ASN.1 objects as used by S/MIME, X.509, and CMS. The used encoding (BER, DER)...

gpg: Use gpgrt's new option parser to provide a global conf file.

gpg : Use gpgrt's new option parser to provide a global conf file. * common/util.h: Remove argparse.h. * common/argparse.c: Undef GPGRT_ENABLE_ARGPARSE_MACROS. * ...