Use checksum verification for CernVM-FS GPG key

The cvmrepo repository is sometimes down. This avoids fetching the GPG
key each time if it was already done, preventing Ansible failures.

It also verifies that the key is the expected one instead of blindly
trusting any GPG key.

This should not require much maintenance since the key appears to be the
same since it was generated in 2010.

Author: priteau

ansible/roles/eessi/defaults/main.yaml

@@ -9,3 +9,5 @@ cvmfs_config_default:
 cvmfs_config_overrides: {}
 
 cvmfs_config: "{{ cvmfs_config_default | combine(cvmfs_config_overrides) }}"
+
+cvmfs_gpg_checksum: "sha256:4ac81adff957565277cfa6a4a330cdc2ce5a8fdd73b8760d1a5a32bef71c4bd6"

ansible/roles/eessi/tasks/main.yaml

@@ -3,6 +3,7 @@
   ansible.builtin.get_url:
     url: http://cvmrepo.web.cern.ch/cvmrepo/yum/RPM-GPG-KEY-CernVM 
     dest: ./cvmfs-key.gpg
+    checksum: "{{ cvmfs_gpg_checksum }}"
 
 - name: Import downloaded GPG key
   command: rpm --import cvmfs-key.gpg
@@ -44,4 +45,4 @@
 # NOTE: Not clear how to make this idempotent
 - name: Ensure CVMFS config is setup
   command:
-    cmd: "cvmfs_config setup"
+    cmd: "cvmfs_config setup"