1 files changed, 88 insertions, 0 deletions

diff --git a/test/integration/targets/dnf/tasks/gpg.yml b/test/integration/targets/dnf/tasks/gpg.yml
new file mode 100644
index 0000000..72bdee0
--- /dev/null
+++ b/test/integration/targets/dnf/tasks/gpg.yml
@@ -0,0 +1,88 @@
+# Set up a repo of unsigned rpms
+- block:
+    - set_fact:
+        pkg_name: langtable
+        pkg_repo_dir: "{{ remote_tmp_dir }}/unsigned"
+
+    - name: Ensure our test package isn't already installed
+      dnf:
+        name:
+          - '{{ pkg_name }}'
+        state: absent
+
+    - name: Install rpm-sign and attr
+      dnf:
+        name:
+          - rpm-sign
+          - attr
+        state: present
+
+    - name: Create directory to use as local repo
+      file:
+        path: "{{ pkg_repo_dir }}"
+        state: directory
+
+    - name: Download the test package
+      dnf:
+        name: '{{ pkg_name }}'
+        state: latest
+        download_only: true
+        download_dir: "{{ pkg_repo_dir }}"
+
+    - name: Unsign the RPM
+      shell: rpmsign --delsign {{ remote_tmp_dir }}/unsigned/{{ pkg_name }}*
+
+    # In RHEL 8.5 dnf uses libdnf to do checksum verification, which caches the checksum on an xattr of the file
+    # itself, so we need to clear that cache
+    - name: Clear libdnf checksum cache
+      shell: setfattr -x user.Librepo.checksum.sha256 {{ remote_tmp_dir }}/unsigned/{{ pkg_name }}*
+      when: ansible_distribution in ['RedHat', 'CentOS'] and
+            ansible_distribution_version is version('8.5', '>=') and
+            ansible_distribution_version is version('9', '<')
+
+    - name: createrepo
+      command: createrepo .
+      args:
+        chdir: "{{ pkg_repo_dir }}"
+
+    - name: Add the repo
+      yum_repository:
+        name: unsigned
+        description: unsigned rpms
+        baseurl: "file://{{ pkg_repo_dir }}"
+        # we want to ensure that signing is verified
+        gpgcheck: true
+
+    - name: Install test package
+      dnf:
+        name:
+          - "{{ pkg_name }}"
+        disablerepo: '*'
+        enablerepo: unsigned
+      register: res
+      ignore_errors: yes
+
+    - assert:
+        that:
+          - res is failed
+          - "'Failed to validate GPG signature' in res.msg"
+          - "'is not signed' in res.msg"
+
+  always:
+    - name: Remove rpm-sign and attr (and test package if it got installed)
+      dnf:
+        name:
+          - rpm-sign
+          - attr
+          - "{{ pkg_name }}"
+        state: absent
+
+    - name: Remove test repo
+      yum_repository:
+        name: unsigned
+        state: absent
+
+    - name: Remove repo dir
+      file:
+        path: "{{ pkg_repo_dir }}"
+        state: absent