Coverage for src/ansible_sign/signing/gpg/verifier.py: 85%

33 statements  

« prev     ^ index     » next       coverage.py v7.9.1, created at 2025-07-02 14:12 +0000

1""" 

2This module handles GPG signature verification for Ansible content. It makes use 

3of python-gnupg (which ultimately shells out to GPG). 

4""" 

5 

6import gnupg 

7import os 

8 

9from ansible_sign.signing.base import ( 

10 SignatureVerifier, 

11 SignatureVerificationResult, 

12) 

13 

14__author__ = "Rick Elrod" 

15__copyright__ = "(c) 2022 Red Hat, Inc." 

16__license__ = "MIT" 

17 

18 

19class GPGVerifier(SignatureVerifier): 

20 def __init__( 

21 self, manifest_path, detached_signature_path, gpg_home=None, keyring=None 

22 ): 

23 super(GPGVerifier, self).__init__() 

24 

25 if manifest_path is None: 25 ↛ 26line 25 didn't jump to line 26 because the condition on line 25 was never true

26 raise RuntimeError("manifest_path must not be None") 

27 self.manifest_path = manifest_path 

28 

29 if detached_signature_path is None: 29 ↛ 30line 29 didn't jump to line 30 because the condition on line 29 was never true

30 raise RuntimeError("detached_signature_path must not be None") 

31 self.detached_signature_path = detached_signature_path 

32 

33 self.gpg_home = gpg_home 

34 self.keyring = keyring 

35 

36 def verify(self) -> SignatureVerificationResult: 

37 if not os.path.exists(self.detached_signature_path): 37 ↛ 38line 37 didn't jump to line 38 because the condition on line 37 was never true

38 return SignatureVerificationResult( 

39 success=False, 

40 summary="The specified detached signature path does not exist.", 

41 ) 

42 

43 extra = {} 

44 

45 gpg = gnupg.GPG(gnupghome=self.gpg_home, keyring=self.keyring) 

46 

47 with open(self.detached_signature_path, "rb") as sig: 

48 verified = gpg.verify_file(sig, self.manifest_path) 

49 

50 if not verified: 

51 extra["stderr"] = verified.stderr 

52 return SignatureVerificationResult( 

53 success=False, 

54 summary="GPG signature verification failed.", 

55 extra_information=extra, 

56 ) 

57 

58 extra["stderr"] = verified.stderr 

59 extra["fingerprint"] = verified.fingerprint 

60 extra["creation_date"] = verified.creation_date 

61 extra["status"] = verified.status 

62 extra["timestamp"] = verified.timestamp 

63 

64 return SignatureVerificationResult( 

65 success=True, 

66 summary="GPG signature verification succeeded.", 

67 extra_information=extra, 

68 )