Chapter 3. Collections and content signing in private automation hub

As an automation administrator for your organization, you can configure private automation hub for signing and publishing Ansible content collections from different groups within your organization.

For additional security, automation creators can configure Ansible-Galaxy CLI to verify these collections to ensure they have not been changed after they were uploaded to automation hub.

3.1. Configuring content signing on private automation hub

To successfully sign and publish Ansible Certified Content Collections, you must configure private automation hub for signing.

Prerequisites

  • Your GnuPG key pairs have been securely set up and managed by your organization.
  • Your public/private key pair has proper access for configuring content signing on private automation hub.

Procedure

  1. Create a signing script that only accepts a filename.

    Note

    This script will act as the signing service and must generate an ascii-armored detached gpg signature for that file using the key specified through the PULP_SIGNING_KEY_FINGERPRINT environment variable.

    The script then prints out a JSON structure with the following format.

    {"file": "filename", "signature": "filename.asc"}

    All the file names are relative paths inside the current working directory. The file name must remain the same for the detached signature, as shown.

    The following example shows a script that produces signatures for content:

    #!/usr/bin/env bash
    
    FILE_PATH=$1
    SIGNATURE_PATH="$1.asc"
    
    ADMIN_ID="$PULP_SIGNING_KEY_FINGERPRINT"
    PASSWORD="password"
    
    # Create a detached signature
    gpg --quiet --batch --pinentry-mode loopback --yes --passphrase \
       $PASSWORD --homedir ~/.gnupg/ --detach-sign --default-key $ADMIN_ID \
       --armor --output $SIGNATURE_PATH $FILE_PATH
    
    # Check the exit status
    STATUS=$?
    if [ $STATUS -eq 0 ]; then
       echo {\"file\": \"$FILE_PATH\", \"signature\": \"$SIGNATURE_PATH\"}
    else
       exit $STATUS
    fi

    After you deploy a private automation hub with signing enabled to your Ansible Automation Platform cluster, new UI additions display when you interact with collections.

  2. Review the AAP installer inventory file for options that begins with automationhub_*.

    [all:vars]
    .
    .
    .
    automationhub_create_default_collection_signing_service = True
    automationhub_auto_sign_collections = True
    automationhub_require_content_approval = True
    automationhub_collection_signing_service_key = /abs/path/to/galaxy_signing_service.gpg
    automationhub_collection_signing_service_script = /abs/path/to/collection_signing.sh

    The two new keys (automationhub_auto_sign_collections and automationhub_require_content_approval) indicate that the collections must be signed and require approval after they are uploaded to private automation hub.

3.2. Using content signing services in private automation hub

After you have configured content signing on your private automation hub, you can manually sign a new collection or replace an existing signature with a new one so that users who want to download a specific collection have the assurance that the collection is intended for them and has not been modified after certification.

Content signing on private automation hub provides solutions for the following scenarios:

  • Your system does not have automatic signing configured and you must use a manual signing process to sign collections.
  • The current signatures on the automatically configured collections are corrupted and must be replaced with new signatures.
  • Additional signatures are required for previously signed content.
  • You want to rotate signatures on your collections.

Procedure

  1. Log in to your private automation hub instance in the automation hub UI.
  2. In the left navigation, click CollectionsApproval. The Approval dashboard is displayed with a list of collections.
  3. Click Sign and approve for each collection you want to sign.
  4. Verify that the collections you signed and approved manually are displayed in the Collections tab.

3.3. Configuring Ansible-Galaxy CLI to verify collections

You can configure Ansible-Galaxy CLI to verify collections. This ensures that collections you download are approved by your organization and have not been changed after they were uploaded to automation hub.

If a collection has been signed by automation hub, the server provides ASCII armored, GPG-detached signatures to verify the authenticity of MANIFEST.json before using it to verify the collection’s contents. You must opt into signature verification by configuring a keyring for ansible-galaxy or providing the path with the --keyring option.

Prerequisites

  • Signed collections are available in automation hub to verify signature.
  • Certified collections can be signed by approved roles within your organization.
  • Public key for verification has been added to the local system keyring.

Procedure

  1. To import a public key into a non-default keyring for use with ansible-galaxy, run the following command.

    gpg --import --no-default-keyring --keyring ~/.ansible/pubring.kbx my-public-key.asc
    Note

    In addition to any signatures provided by the automation hub, signature sources can also be provided in the requirements file and on the command line. Signature sources should be URIs.

  2. Use the --signature option to verify the collection name provided on the CLI with an additional signature.

    ansible-galaxy collection install namespace.collection
    --signature https://examplehost.com/detached_signature.asc
    --signature file:///path/to/local/detached_signature.asc --keyring ~/.ansible/pubring.kbx

    You can use this option multiple times to provide multiple signatures.

  3. Confirm that the collections in a requirements file list any additional signature sources following the collection’s signatures key, as in the following example.

    # requirements.yml
    collections:
      - name: ns.coll
        version: 1.0.0
        signatures:
          - https://examplehost.com/detached_signature.asc
          - file:///path/to/local/detached_signature.asc
    
    ansible-galaxy collection verify -r requirements.yml --keyring ~/.ansible/pubring.kbx

    When you install a collection from automation hub, the signatures provided by the server are saved along with the installed collections to verify the collection’s authenticity.

  4. (Optional) If you need to verify the internal consistency of your collection again without querying the Ansible Galaxy server, run the same command you used previously using the --offline option.