changed_when expression for --recv-key imports misses new subkeys, revocations, signatures, etc.

freedomofpress / ansible-role-grsecurity

The documentation and build system for the grsecurity kernel maintained by the Freedom of the Press Foundation for SecureDrop

GNU General Public License v2.0

49 stars 13 forks source link

changed_when expression for --recv-key imports misses new subkeys, revocations, signatures, etc. #61

Open psivesely opened 8 years ago

psivesely commented 8 years ago

When using changed_when: in combination with command: gpg --recv-key ... you are only considering a change to have happened when the key is imported for the first time. This ignores the creation and revocation of subkeys or the key itself, new signatures, etc.. A more comprehensive changed_when will probably require a bit of tinkering to figure out, but will make for a more polished playbook. Nice too would be to print this info out during execution, perhaps using the debug module.

conorsch commented 8 years ago

The ideal solution would handle GPG key management in a generalized sense. Unfortunately Ansible doesn't offer a module for gpg keys (as of v2.0.2). The best community module I've found is this one, but I haven't tested whether it addresses the concerns you raise here.