Includes a custom gpg state, module and renderer. The custom state and module provides the ability to import or verify gpg keys, while the custom renderer will fail to render a .sls state file if the state file contains the #!verify shebang and the state file fails verification do to any reason such as missing key, missing detached signature.
Import a key from text or file
- user
Which user's keychain to access, defaults to user Salt is running as. Passing the user as
salt
will set the GPG home directory to/etc/salt/gpgkeys
.- contents
The text containing import key to import.
- contents-pillar
The pillar id containing import key to import.
- source
The filename containing the key to import.
CLI Example:
qubesctl gnupg.import_key contents='-----BEGIN PGP PUBLIC KEY BLOCK-----
... -----END PGP PUBLIC KEY BLOCK-----'
qubesctl gnupg.import_key source='/path/to/public-key-file'
qubesctl gnupg.import_key contents-piller='gnupg:gpgkeys'
Verify a message or file
- source
The filename.asc to verify.
- key-content
The text to verify.
- data-source
The filename data to verify.
- user
Which user's keychain to access, defaults to user Salt is running as. Passing the user as
salt
will set the GPG home directory to/etc/salt/gpgkeys
.
CLI Example:
qubesctl gnupg.verify source='/path/to/important.file.asc'
qubesctl gnupg.verify <source|key-content> [key-data] [user=]
custom gpg renderer
------------Renderer that verifies state and pillar files
This renderer requires the python-gnupg package. Be careful to install the python-gnupg
package, not the gnupg
package, or you will get errors.
To set things up, you will first need to generate import a public key. On your master, run:
$ gpg --import --homedir /etc/salt/gpgkeys pubkey.gpg
sls shebang: verify | jinja | yaml