GPG module and key lookup #238
Description
From @ageis on May 09, 2019 11:17
SUMMARY
Ansible could use a GPG module, for managing keyrings, importing and exporting keys, verifying and making signatures, and decrypting and encrypting data (both symmetric and non). Working with GPG keys, outside of the context of apt, is an extremely common sysadmin task which we can make it easier to automate. I think the addition of this module could be complemented by a "gpgkey" lookup which returns matching keys. I am on the fence about whether encryption, decryption, and sign+verify functions should be split into their own submodules.
I've seen no prior tickets or discussion of this, so I've taken on the task of developing it myself, and have already implemented a significant amount of the prospective functionality, and am creating this issue in order to track my progress. Please assign it to me. Hopefully this will be ready in time for 2.9.
This is a project which could prove thorny/hairy to maintain going forward. For elucidation on why that is, I'd love to quote @isislovecruft:
"...largely due to GnuPG’s interface design which uses file descriptors, and only file descriptors, to speak a custom, potentially binary but often ascii, order dependent line protocol, whose line order, keywords, number of fields, and other details are subject to change between minor point versions of GnuPG. If that sounds like a special hell invented by some sort of unholy crossing between RMS and a rabid howler monkey: welcome to working with (or rather, more likely, around) the Terrible Idea Generator known as the GnuPG development team."
For now I've decided to rely on her version of python-gnupg which is now called pretty-bad-protoco] (PyPi, GitHub); in my experience and the opinion of people I trust it's simply better, but that is a decision which the project/community will have to review when it's PR-time.
I found two modules out there, but IMO neither of them are presently suitable for inclusion in core for various reasons. I want to note the prior effort by @tnt and @brandonkal anyway:
ISSUE TYPE
- Feature Idea
COMPONENT NAME
- module: gpg
- lookup: gpgkey
ADDITIONAL INFORMATION
My work-in-progress is located here: https://git.cointel.pro/FOSS/ansible-module-gpg
Copied from original issue: ansible/ansible#56262