Coverage for src/ansible_sign/signing/gpg/verifier.py: 85%
33 statements
« prev ^ index » next coverage.py v7.9.1, created at 2025-07-02 14:12 +0000
« prev ^ index » next coverage.py v7.9.1, created at 2025-07-02 14:12 +0000
1"""
2This module handles GPG signature verification for Ansible content. It makes use
3of python-gnupg (which ultimately shells out to GPG).
4"""
6import gnupg
7import os
9from ansible_sign.signing.base import (
10 SignatureVerifier,
11 SignatureVerificationResult,
12)
14__author__ = "Rick Elrod"
15__copyright__ = "(c) 2022 Red Hat, Inc."
16__license__ = "MIT"
19class GPGVerifier(SignatureVerifier):
20 def __init__(
21 self, manifest_path, detached_signature_path, gpg_home=None, keyring=None
22 ):
23 super(GPGVerifier, self).__init__()
25 if manifest_path is None: 25 ↛ 26line 25 didn't jump to line 26 because the condition on line 25 was never true
26 raise RuntimeError("manifest_path must not be None")
27 self.manifest_path = manifest_path
29 if detached_signature_path is None: 29 ↛ 30line 29 didn't jump to line 30 because the condition on line 29 was never true
30 raise RuntimeError("detached_signature_path must not be None")
31 self.detached_signature_path = detached_signature_path
33 self.gpg_home = gpg_home
34 self.keyring = keyring
36 def verify(self) -> SignatureVerificationResult:
37 if not os.path.exists(self.detached_signature_path): 37 ↛ 38line 37 didn't jump to line 38 because the condition on line 37 was never true
38 return SignatureVerificationResult(
39 success=False,
40 summary="The specified detached signature path does not exist.",
41 )
43 extra = {}
45 gpg = gnupg.GPG(gnupghome=self.gpg_home, keyring=self.keyring)
47 with open(self.detached_signature_path, "rb") as sig:
48 verified = gpg.verify_file(sig, self.manifest_path)
50 if not verified:
51 extra["stderr"] = verified.stderr
52 return SignatureVerificationResult(
53 success=False,
54 summary="GPG signature verification failed.",
55 extra_information=extra,
56 )
58 extra["stderr"] = verified.stderr
59 extra["fingerprint"] = verified.fingerprint
60 extra["creation_date"] = verified.creation_date
61 extra["status"] = verified.status
62 extra["timestamp"] = verified.timestamp
64 return SignatureVerificationResult(
65 success=True,
66 summary="GPG signature verification succeeded.",
67 extra_information=extra,
68 )