6

I have ansible role that downloads a script file, how can i check the authenticity of the file using md5sum before executing?

- name: Add xx official repository for ubuntu/debain
  get_url:
     url:  https://script.deb.sh
     dest: /opt/script.db.sh

- name: Execute the script
  script: /opt/script.db.sh
  • i want to check the authenticity before downloading the file - can this be achieved in ansible?
user6826691
  • 1,813
  • 9
  • 37
  • 74

3 Answers3

13

If you're not using the get_url option, after the file is in the location, call the stat module using the get_checksum option as documented here.

- name: Get sha256 sum of script
  stat:
    path: /opt/script.db.sh
    checksum_algorithm: sha256
    get_checksum: yes
  register: shell_stat

- name: Verify sha256sum of script before execution.
  fail:
    msg: "Failure, file is not correct."
  when: shell_stat.stat.checksum != '19d6105fa1a581cf3ad38f67080b6d55cb152b5441ae8bdf194e593f292f31e9'

- name: Execute the script
  script: /opt/script.db.sh

Update the sum on the when: line to match the file you expect.

Generating the checksum (sha256 in this example) vary on your operating system. On most Linux distributions use the sha256sum {filename} command, on OSX, use shasum -a 256 {filename}.

Marinos An
  • 9,481
  • 6
  • 63
  • 96
dan_linder
  • 881
  • 1
  • 9
  • 30
  • is there any way to check the file authenticity before downloading? – user6826691 Jul 25 '17 at 14:10
  • 1
    @Swat: *You* will need to confirm that the file you're pushing out to your systems is the one you want. Once you know that the file is ok, then generate the checksum of it to ensure you only install that file. Remember, if the file is not in your control and someone else changes the file you're downloading in any way the checksum will change and your playbook will report the failure. This is a *good thing* - it forces you and your team to re-verify the file and approve the file by updating the checksum in the playbook. – dan_linder Jul 28 '17 at 12:38
2

get_url has a checksum parameter that you could use. 

- name: Add xx official repository for ubuntu/debain
  get_url:
    url:  https://script.deb.sh
    dest: /opt/script.db.sh
    checksum: md5:1234

http://docs.ansible.com/ansible/latest/get_url_module.html

kfreezy
  • 1,499
  • 12
  • 16
  • i tried this but getting an error - command: cksum /opt/script.db.sh register: md5_value - name: checking the md5checksome get_url: url: https://script.deb.sh dest: /opt/script.db.sh checksum: md5:{{ md5_value }} force: true fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "The checksum parameter has to be in format :"} – user6826691 Jul 24 '17 at 19:26
  • 1
    AFAIK you can't use the CRC checksum in the `get_url` module. `md5sum` will work however. You will also need to specify the algorithm in the `checksum` parameter (i.e. - `checksum: "md5:{{ md5_value }}"`) – kfreezy Jul 24 '17 at 19:40
2

you can use the "checksum" parameter "get_url" module. I show you an example of a playbook that executes a "role" to download OpenJDK8 only if the md5sum is correct.

File: playbook.yml

---
- name: "Download binaries"
  hosts: localhost
  roles:
  - openjdk

File: openjdk/tasks/main.yml

- name: "Download OpenJDK {{ openjdk_version }} binaries"
  get_url:
    url: https://download.java.net/openjdk/jdk8u40/ri/{{ openjdk_file }}
    dest: "{{ download_destination }}"
    checksum: "{{ openjdk_md5 }}"
    mode: 0750
  tags:
    - always

File: openjdk/vars/main.yml

---
download_destination: /var/tmp
openjdk_version: "8u40-b25"
openjdk_file: "openjdk-{{ openjdk_version }}-linux-x64-10_feb_2015.tar.gz"
openjdk_md5: "md5: 4980716637f353cfb27467d57f2faf9b"

The available cryptographic algorithms in Ansible 2.7 are: sha1, sha224, sha384, sha256, sha512, md5.

It works for me, I hope for you too.

JavDomGom
  • 957
  • 10
  • 16