# Set up a repo of unsigned rpms - block: - set_fact: pkg_name: langtable pkg_repo_dir: "{{ remote_tmp_dir }}/unsigned" - name: Ensure our test package isn't already installed dnf: name: - '{{ pkg_name }}' state: absent - name: Install rpm-sign and attr dnf: name: - rpm-sign - attr state: present - name: Create directory to use as local repo file: path: "{{ pkg_repo_dir }}" state: directory - name: Download the test package dnf: name: '{{ pkg_name }}' state: latest download_only: true download_dir: "{{ pkg_repo_dir }}" - name: Unsign the RPM shell: rpmsign --delsign {{ remote_tmp_dir }}/unsigned/{{ pkg_name }}* # In RHEL 8.5 dnf uses libdnf to do checksum verification, which caches the checksum on an xattr of the file # itself, so we need to clear that cache - name: Clear libdnf checksum cache shell: setfattr -x user.Librepo.checksum.sha256 {{ remote_tmp_dir }}/unsigned/{{ pkg_name }}* when: ansible_distribution in ['RedHat', 'CentOS'] and ansible_distribution_version is version('8.5', '>=') and ansible_distribution_version is version('9', '<') - name: createrepo command: createrepo . args: chdir: "{{ pkg_repo_dir }}" - name: Add the repo yum_repository: name: unsigned description: unsigned rpms baseurl: "file://{{ pkg_repo_dir }}" # we want to ensure that signing is verified gpgcheck: true - name: Install test package dnf: name: - "{{ pkg_name }}" disablerepo: '*' enablerepo: unsigned register: res ignore_errors: yes - assert: that: - res is failed - "'Failed to validate GPG signature' in res.msg" - "'is not signed' in res.msg" always: - name: Remove rpm-sign and attr (and test package if it got installed) dnf: name: - rpm-sign - attr - "{{ pkg_name }}" state: absent - name: Remove test repo yum_repository: name: unsigned state: absent - name: Remove repo dir file: path: "{{ pkg_repo_dir }}" state: absent