Source code for ansible_sign.signing.gpg.verifier

"""
This module handles GPG signature verification for Ansible content. It makes use
of python-gnupg (which ultimately shells out to GPG).
"""

import gnupg
import os

from ansible_sign.signing.base import (
    SignatureVerifier,
    SignatureVerificationResult,
)

__author__ = "Rick Elrod"
__copyright__ = "(c) 2022 Red Hat, Inc."
__license__ = "MIT"


[docs] class GPGVerifier(SignatureVerifier): def __init__( self, manifest_path, detached_signature_path, gpg_home=None, keyring=None ): super(GPGVerifier, self).__init__() if manifest_path is None: raise RuntimeError("manifest_path must not be None") self.manifest_path = manifest_path if detached_signature_path is None: raise RuntimeError("detached_signature_path must not be None") self.detached_signature_path = detached_signature_path self.gpg_home = gpg_home self.keyring = keyring
[docs] def verify(self) -> SignatureVerificationResult: if not os.path.exists(self.detached_signature_path): return SignatureVerificationResult( success=False, summary="The specified detached signature path does not exist.", ) extra = {} gpg = gnupg.GPG(gnupghome=self.gpg_home, keyring=self.keyring) with open(self.detached_signature_path, "rb") as sig: verified = gpg.verify_file(sig, self.manifest_path) if not verified: extra["stderr"] = verified.stderr return SignatureVerificationResult( success=False, summary="GPG signature verification failed.", extra_information=extra, ) extra["stderr"] = verified.stderr extra["fingerprint"] = verified.fingerprint extra["creation_date"] = verified.creation_date extra["status"] = verified.status extra["timestamp"] = verified.timestamp return SignatureVerificationResult( success=True, summary="GPG signature verification succeeded.", extra_information=extra, )