feat(aws-tools): Verify integrity of downloaded file

Follows the instructions on https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html to verify the ZIP file.
guardian · Nov 13, 2024 · 0e5f661 · 0e5f661
1 parent 083991c
commit 0e5f661
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/roles/aws-tools/tasks/main.yml b/roles/aws-tools/tasks/main.yml
@@ -17,6 +17,21 @@
   get_url: url=https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip dest=/tmp/awscliv2/awscliv2.zip
   when: ansible_architecture == "x86_64"
 
+# This key ID was obtained from https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
+- name: [AWS CLI v2] Import AWS GPG Key
+  command: gpg --keyserver hkp://keys.openpgp.org --recv-keys A6310ACC4672475C
+
+- name: [AWS CLI v2] Download signature (aarch64)
+  get_url: url=https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip.sig dest=/tmp/awscliv2/awscliv2.sig
+  when: ansible_architecture == "aarch64"
+
+- name: [AWS CLI v2] Download signature (x86_64)
+  get_url: url=https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig dest=/tmp/awscliv2/awscliv2.sig
+  when: ansible_architecture == "x86_64"
+
+- name: [AWS CLI v2] Verify downloaded ZIP file
+  command: gpg --verify /tmp/awscliv2/awscliv2.sig /tmp/awscliv2/awscliv2.zip
+
 - name: [AWS CLI v2] Extract
   command: unzip -o /tmp/awscliv2/awscliv2.zip -d /tmp/awscliv2