Merge pull request #5 from dmtrhfr/verify-checksums

Verify checksums

defaults/main.yml

@@ -10,6 +10,7 @@ restic_repos: {}
 restic_backups: []
 restic_create_systemd_timer: false
 restic_skip_handlers: false
+restic_skip_checksum_verify: true
 
 restic_dir_owner: '{{ ansible_user | default(ansible_user_id) }}'
 restic_dir_group: '{{ ansible_user | default(ansible_user_id) }}'

tasks/install.yml

@@ -1,11 +1,21 @@
 ---
-- name: Download restic
+- name: Download restic withouth verified checksum file
   get_url:
     url: '{{ restic_url }}'
     dest: '{{ restic_download_path }}/restic.bz2'
     checksum: "sha256:{{ restic_url_checksums }}"
     mode: "0644"
   register: get_url_restic
+  when: restic_skip_checksum_verify
+
+- name: Download restic with verified checksum file
+  get_url:
+    url: '{{ restic_url }}'
+    dest: '{{ restic_download_path }}/restic.bz2'
+    checksum: "sha256:{{ restic_checksums }}"
+    mode: "0644"
+  register: get_url_restic
+  when: not restic_skip_checksum_verify
 
 - name: Install restic
   shell: |

tasks/main.yml

@@ -46,6 +46,11 @@
     path: '{{ restic_install_path }}/restic'
   register: restic_installed
 
+- name: Verify SHA256SUMS
+  import_tasks: 'verify.yml'
+  when: not restic_executable.stat.exists or not restic_installed.stat.exists
+    or restic_executable.stat.size == 0 and not restic_skip_checksum_verify
+
 - name: Install restic
   import_tasks: 'install.yml'
   when: not restic_executable.stat.exists or not restic_installed.stat.exists

tasks/verify.yml

@@ -0,0 +1,51 @@
+---
+- name: Install dependencies
+  ansible.builtin.package:
+    name:
+      - gpg
+      - bzip2
+    state: present
+    update_cache: true
+  become: true
+
+- name: Download checksum file and signature
+  ansible.builtin.get_url:
+    url: "{{ restic_url_checksums }}/{{ item }}"
+    dest: "{{ ansible_env.HOME }}/restic/restic_{{ item }}"
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: 0644
+  loop:
+    - SHA256SUMS
+    - SHA256SUMS.asc
+
+- name: Copy public key to host
+  ansible.builtin.copy:
+    src: public.asc
+    dest: "{{ ansible_env.HOME }}/restic/public.asc"
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: 0640
+
+- name: Import public key
+  ansible.builtin.command: gpg --import {{ ansible_env.HOME }}/restic/public.asc
+  changed_when: false
+
+- name: Verify checksum file
+  ansible.builtin.command: >
+    gpg --verify {{ ansible_env.HOME }}/restic/restic_SHA256SUMS.asc
+    {{ ansible_env.HOME }}/restic/restic_SHA256SUMS
+  register: verify
+  changed_when: false
+  failed_when: verify.rc != 0
+
+- name: Read checksum file
+  ansible.builtin.slurp:
+    src: "{{ ansible_env.HOME }}/restic/restic_SHA256SUMS"
+  register: checksums
+
+- name: Extract hashes
+  ansible.builtin.set_fact:
+    restic_checksums: >
+      {{ checksums['content'] | b64decode | regex_findall('[0-9a-f]{64}  restic_[0-9]+\.[0-9]+\.[0-9]+_linux_amd64.bz2') | regex_findall('[0-9a-f]{64}') }}
+  when: restic_system == 'linux' and restic_platform == 'amd64'

vars/defaults.yml

@@ -21,4 +21,4 @@ restic_system: '{{ ansible_system | lower }}'
 restic_url_v: 'v{{ restic_version }}/restic_{{ restic_version }}_'
 restic_file: '{{ restic_system }}_{{ restic_platform }}.bz2'
 restic_url_default: '{{ restic_url_r }}{{ restic_url_v }}{{ restic_file }}'
-restic_url_checksums: '{{ restic_url_r }}v{{ restic_version }}/SHA256SUMS'
+restic_url_checksums: '{{ restic_url_r }}v{{ restic_version }}'