test/integration/targets/dnf/tasks/gpg.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

# Set up a repo of unsigned rpms
- block:
    - set_fact:
        pkg_name: langtable
        pkg_repo_dir: "{{ remote_tmp_dir }}/unsigned"

    - name: Ensure our test package isn't already installed
      dnf:
        name:
          - '{{ pkg_name }}'
        state: absent

    - name: Install rpm-sign and attr
      dnf:
        name:
          - rpm-sign
          - attr
        state: present

    - name: Create directory to use as local repo
      file:
        path: "{{ pkg_repo_dir }}"
        state: directory

    - name: Download the test package
      dnf:
        name: '{{ pkg_name }}'
        state: latest
        download_only: true
        download_dir: "{{ pkg_repo_dir }}"

    - name: Unsign the RPM
      shell: rpmsign --delsign {{ remote_tmp_dir }}/unsigned/{{ pkg_name }}*

    # In RHEL 8.5 dnf uses libdnf to do checksum verification, which caches the checksum on an xattr of the file
    # itself, so we need to clear that cache
    - name: Clear libdnf checksum cache
      shell: setfattr -x user.Librepo.checksum.sha256 {{ remote_tmp_dir }}/unsigned/{{ pkg_name }}*
      when: ansible_distribution in ['RedHat', 'CentOS'] and
            ansible_distribution_version is version('8.5', '>=') and
            ansible_distribution_version is version('9', '<')

    - name: createrepo
      command: createrepo .
      args:
        chdir: "{{ pkg_repo_dir }}"

    - name: Add the repo
      yum_repository:
        name: unsigned
        description: unsigned rpms
        baseurl: "file://{{ pkg_repo_dir }}"
        # we want to ensure that signing is verified
        gpgcheck: true

    - name: Install test package
      dnf:
        name:
          - "{{ pkg_name }}"
        disablerepo: '*'
        enablerepo: unsigned
      register: res
      ignore_errors: yes

    - assert:
        that:
          - res is failed
          - "'Failed to validate GPG signature' in res.msg"
          - "'is not signed' in res.msg"

  always:
    - name: Remove rpm-sign and attr (and test package if it got installed)
      dnf:
        name:
          - rpm-sign
          - attr
          - "{{ pkg_name }}"
        state: absent

    - name: Remove test repo
      yum_repository:
        name: unsigned
        state: absent

    - name: Remove repo dir
      file:
        path: "{{ pkg_repo_dir }}"
        state: absent