Verify gitea binary

roles/gitea/tasks/main.yml

@@ -1,10 +1,12 @@
 ---
 - include_vars: vault.yml
 
-- name: Install git
+- name: Install git and gpg
   become: true
   apt:
-    name: git
+    name:
+      - git
+      - gpg
     state: present
 
 - name: Create git group
@@ -94,6 +96,19 @@
     group: git
     mode: 0664
 
+- name: Verify downloaded binary - download asc file
+  get_url:
+    url: "https://dl.gitea.io/gitea/{{ gitea_binary.json.latest.version }}/gitea-{{ gitea_binary.json.latest.version }}-linux-{{ gitea_binary_arch }}.asc"
+    dest: "/tmp/gitea-{{ gitea_binary.json.latest.version }}.asc"
+
+- name: Verify downloaded binary - recv pgp key
+  command: gpg --keyserver hkps://keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
+
+- name: Verify downloaded binary - verify with gpg
+  command: "gpg --verify /tmp/gitea-{{ gitea_binary.json.latest.version }}.asc /home/git/gitea-{{ gitea_binary.json.latest.version }}"
+  register: result
+  failed_when: '"Good signature from" not in result.stderr'
+
 - name: Copy gitea binary to global location
   become: true
   copy: