community.crypto.openssl_signature module – Sign data with openssl

Note

This module is part of the community.crypto collection (version 2.26.5).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.crypto. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: community.crypto.openssl_signature.

New in community.crypto 1.1.0

Synopsis

• This module allows one to sign data using a private key.

• The module uses the cryptography Python library.

Requirements

The below requirements are needed on the host that executes this module.

• cryptography >= 1.4 (some key types require newer versions)

Parameters

Parameter	Comments
path path / required	The file to sign. This file will only be read and not modified.
privatekey_content string	The content of the private key to use when signing the certificate signing request. Either privatekey_path or privatekey_content must be specified, but not both.
privatekey_passphrase string	The passphrase for the private key. This is required if the private key is password protected.
privatekey_path path	The path to the private key to use when signing. Either privatekey_path or privatekey_content must be specified, but not both.
select_crypto_backend string	Determines which crypto backend to use. The default choice is auto, which tries to use cryptography if available. If set to cryptography, will try to use the cryptography library. Choices: "auto" ← (default) "cryptography"

Attributes

Attribute	Support	Description
check_mode	Support: full This action does not modify state.	Can run in check_mode and return changed status prediction without modifying target.
diff_mode	Support: none	Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode.
idempotent	Support: partial Signature algorithms are generally not deterministic. Thus the generated signature can change from one invocation to the next.	When run twice in a row outside check mode, with the same arguments, the second invocation indicates no change. This assumes that the system controlled/queried by the module has not changed in a relevant way.

Notes

Note

• When using the cryptography backend, the following key types require at least the following cryptography version: RSA keys: cryptography >= 1.4 DSA and ECDSA keys: cryptography >= 1.5 ed448 and ed25519 keys: cryptography >= 2.6.

See Also

See also

community.crypto.openssl_signature_info

Verify signatures with openssl.

community.crypto.openssl_privatekey

Generate OpenSSL private keys.

Examples

---
- name: Sign example file
  community.crypto.openssl_signature:
    privatekey_path: private.key
    path: /tmp/example_file
  register: sig

- name: Verify signature of example file
  community.crypto.openssl_signature_info:
    certificate_path: cert.pem
    path: /tmp/example_file
    signature: "{{ sig.signature }}"
  register: verify

- name: Make sure the signature is valid
  ansible.builtin.assert:
    that:
      - verify.valid

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
signature string	Base64 encoded signature. Returned: success

Authors

• Patrick Pichler (@aveexy)

• Markus Teufelberger (@MarkusTeufelberger)

Collection links

• Issue Tracker
• Repository (Sources)
• Ask for help (crypto)
• Ask for help (ACME)
• Submit a bug report
• Request a feature
• Communication