HiveBrain v1.2.0
Get Started
← Back to all entries
snippetMinor

How to verify hashes of Ansible Galaxy dependencies?

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
howgalaxyverifyhashesansibledependencies

Problem

From a security perspective, I don't like the idea of relying only on Git tags, as they could be moved later. Unfortunately, I'm not aware of an official solution to enforce checks.

This is the best that I could come up with:

# requirements.yaml:
- src: git+https://github.com/geerlingguy/ansible-role-nodejs.git
  version: 405a113ccbde0c99614f6f815fb4285cb742ad25 # == release 5.0.0
  name: geerlingguy.nodejs.trusted_hash


And in the playbook, use it as:

- roles:
  - role: geerlingguy.nodejs.trusted_hash
    nodejs_version: "12.x"


It works, but feels a bit overly complicated. Is there an easier way?

Solution

The feature is currently (Nov 2019) not directly supported in Ansible Galaxy.

There have been related discussions in the past (#14604 and #1358), but the latest state can be followed in the new issue #2108.

In the meantime, the workaround described in the question can be used, at the cost of some verbosity.

Context

StackExchange DevOps Q#9836, answer score: 1

Revisions (0)

No revisions yet.