blob: 72bdee02ce652ea351d5bbd3e20a244eed1ae108 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
# Set up a repo of unsigned rpms
- block:
- set_fact:
pkg_name: langtable
pkg_repo_dir: "{{ remote_tmp_dir }}/unsigned"
- name: Ensure our test package isn't already installed
dnf:
name:
- '{{ pkg_name }}'
state: absent
- name: Install rpm-sign and attr
dnf:
name:
- rpm-sign
- attr
state: present
- name: Create directory to use as local repo
file:
path: "{{ pkg_repo_dir }}"
state: directory
- name: Download the test package
dnf:
name: '{{ pkg_name }}'
state: latest
download_only: true
download_dir: "{{ pkg_repo_dir }}"
- name: Unsign the RPM
shell: rpmsign --delsign {{ remote_tmp_dir }}/unsigned/{{ pkg_name }}*
# In RHEL 8.5 dnf uses libdnf to do checksum verification, which caches the checksum on an xattr of the file
# itself, so we need to clear that cache
- name: Clear libdnf checksum cache
shell: setfattr -x user.Librepo.checksum.sha256 {{ remote_tmp_dir }}/unsigned/{{ pkg_name }}*
when: ansible_distribution in ['RedHat', 'CentOS'] and
ansible_distribution_version is version('8.5', '>=') and
ansible_distribution_version is version('9', '<')
- name: createrepo
command: createrepo .
args:
chdir: "{{ pkg_repo_dir }}"
- name: Add the repo
yum_repository:
name: unsigned
description: unsigned rpms
baseurl: "file://{{ pkg_repo_dir }}"
# we want to ensure that signing is verified
gpgcheck: true
- name: Install test package
dnf:
name:
- "{{ pkg_name }}"
disablerepo: '*'
enablerepo: unsigned
register: res
ignore_errors: yes
- assert:
that:
- res is failed
- "'Failed to validate GPG signature' in res.msg"
- "'is not signed' in res.msg"
always:
- name: Remove rpm-sign and attr (and test package if it got installed)
dnf:
name:
- rpm-sign
- attr
- "{{ pkg_name }}"
state: absent
- name: Remove test repo
yum_repository:
name: unsigned
state: absent
- name: Remove repo dir
file:
path: "{{ pkg_repo_dir }}"
state: absent
|