ansible-sign

0.1.5 verified Mon Apr 27 auth: no python

Ansible content validation library and CLI for signing and verifying Ansible content (collections, roles, playbooks) using GPG and Sigstore. Current version 0.1.5, pre-1.0 release in active development, no fixed release cadence.

pip install ansible-sign

Common errors

error AttributeError: module 'ansible_sign' has no attribute 'AnsibleSign' ↓

cause Old version <0.1.0 did not re-export the class; updating broke imports.

fix

Upgrade ansible-sign to >=0.1.0 and use 'from ansible_sign import AnsibleSign'.

error gnupg.errors: Unable to run gpg: [Errno 2] No such file or directory ↓

cause gpg executable not installed on system.

fix

Install GPG: 'sudo apt install gnupg' (Debian/Ubuntu) or 'brew install gnupg' (macOS).

error CryptographyDeprecationWarning: ... ↓

cause Dependency cryptography library has deprecated certain functions used by ansible-sign's GPG backend.

fix

Update ansible-sign to latest version; if not available, pin cryptography < 41.0.0.

Warnings

breaking Prior to 0.1.0, the import path was ansible_sign.core; in 0.1.0+ the main class AnsibleSign is exported from the package root. Old imports will break. ↓

fix Use from ansible_sign import AnsibleSign instead of from ansible_sign.core import AnsibleSign.

gotcha Backend ('gpg' vs 'sigstore') must be specified explicitly in some methods; default may not be consistent across all operations. ↓

fix Always pass backend='gpg' or backend='sigstore' to signing/verification methods to ensure expected behavior.

gotcha GPG operations require the gnupg Python library and a GPG executable to be installed on the system. Missing gpg binary leads to cryptic errors. ↓

fix Install GPG via system package manager (e.g., sudo apt install gnupg) before using GPG backend.

deprecated The CLI command 'ansible-sign sign' and 'ansible-sign verify' are still present but may be replaced in future with subcommands under 'ansible-sign collection'. ↓

fix Use 'ansible-sign --help' to see current CLI structure; plan to migrate to new subcommand structure if introduced.

Imports

AnsibleSign
wrong
```
from ansible_sign.core import AnsibleSign
```
correct
```
from ansible_sign import AnsibleSign
```
Core class is re-exported at package level in 0.1.0+; old path no longer works.

Quickstart

Basic usage: sign and verify an Ansible collection tarball using GPG. Requires GPG key to be set up.

from ansible_sign import AnsibleSign
signer = AnsibleSign()
# Sign a collection (requires GPG key in environment)
signer.sign_collection('mycollection-1.0.0.tar.gz', keyid='YOUR_GPG_KEY')
# Verify a signature
result = signer.verify_collection('mycollection-1.0.0.tar.gz.asc')
print(result.valid)