How to verify hashes of Ansible Galaxy dependencies?

Question

From a security perspective, I don't like the idea of relying only on Git tags, as they could be moved later. Unfortunately, I'm not aware of an official solution to enforce checks.

This is the best that I could come up with:

# requirements.yaml:
- src: git+https://github.com/geerlingguy/ansible-role-nodejs.git
  version: 405a113ccbde0c99614f6f815fb4285cb742ad25 # == release 5.0.0
  name: geerlingguy.nodejs.trusted_hash

And in the playbook, use it as:

- roles:
  - role: geerlingguy.nodejs.trusted_hash
    nodejs_version: "12.x"

It works, but feels a bit overly complicated. Is there an easier way?

score 1 · Accepted Answer · answered Nov 18 '19 at 14:41

The feature is currently (Nov 2019) not directly supported in Ansible Galaxy.

There have been related discussions in the past (#14604 and #1358), but the latest state can be followed in the new issue #2108.

In the meantime, the workaround described in the question can be used, at the cost of some verbosity.

How to verify hashes of Ansible Galaxy dependencies?

1 Answers1