Digitally signing Ansible Content Collections/Containers using Private Automation Hub
Overview
The Ansible Automation Platform on Azure provides a feature called digital content signing, which is the genesis of a more holistic chain-of-custody security feature going forward. It establishes a new framework for a chain of custody for Ansible Content Collections and Containers, with a goal for end-to-end digital content signing and distribution. This feature helps ensure that automation being executed in your enterprise is certified and compliant, even if it originates from varied content sources.
Digital Signing Service Configuration
Enabling the Signing Service on Private Automation Hub requires a GPG key, a customer has the ability to choose if this key should be protected with a passphrase or not based on their needs. Follow your enterprise guidelines to create the GPG keys.
Follow this process to configure the Signing Service on your Private Automation Hub:
-
Generate the GPG key (following your enterprise guidelines or feel free to use this article as guidance).
-
Fetch the GPG key name:
gpg --list-keys -
Export both the GPG Public/Private keys using the GPG key name fetched with step 2:
gpg --export-secret-key -a {{ gpg_key_name }} > prv.key
gpg --export -a {{ gpg_key_name }} > pub.key
-
Fetch the Default GPG key using the GPG key name fetched with step 2:
gpg -k --with-fingerprint --with-colons {{ gpg_key_name }}|awk -F: '$1 == "fpr" {print $10;}'|head -n1 -
Open a support ticket requesting the Signing Service configuration to your deployment. Supply the following information:
- Company Name
- Managed Application Name
- GPG Private Key
- GPG Public Key
- Default GPG key
- GPG Passphrase (if enabled by customer)
- The site reliability team will apply the configuration to your managed application and verify functionality.