blob: 89ed23610023c29db4549b3284f0ecf5772965e8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
---
#
# Save initial state
#
- name: Retrieve a list of gpg keys are installed for package checking
shell: 'rpm -q gpg-pubkey | sort'
register: list_of_pubkeys
- name: Retrieve the gpg keys used to verify packages
command: 'rpm -q --qf %{description} gpg-pubkey'
register: pubkeys
- name: Save gpg keys to a file
copy:
content: "{{ pubkeys['stdout'] }}\n"
dest: '{{ remote_tmp_dir }}/pubkeys'
mode: 0600
#
# Tests start
#
- name: download EPEL GPG key
get_url:
url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
dest: /tmp/RPM-GPG-KEY-EPEL-7
- name: download sl rpm
get_url:
url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/sl-5.02-1.el7.x86_64.rpm
dest: /tmp/sl.rpm
- name: remove EPEL GPG key from keyring
rpm_key:
state: absent
key: /tmp/RPM-GPG-KEY-EPEL-7
- name: check GPG signature of sl. Should fail
shell: "rpm --checksig /tmp/sl.rpm"
register: sl_check
ignore_errors: yes
- name: confirm that signature check failed
assert:
that:
- "'MISSING KEYS' in sl_check.stdout or 'SIGNATURES NOT OK' in sl_check.stdout"
- "sl_check.failed"
- name: remove EPEL GPG key from keyring (idempotent)
rpm_key:
state: absent
key: /tmp/RPM-GPG-KEY-EPEL-7
register: idempotent_test
- name: check idempontence
assert:
that: "not idempotent_test.changed"
- name: add EPEL GPG key to key ring
rpm_key:
state: present
key: /tmp/RPM-GPG-KEY-EPEL-7
- name: add EPEL GPG key to key ring (idempotent)
rpm_key:
state: present
key: /tmp/RPM-GPG-KEY-EPEL-7
register: key_idempotence
- name: verify idempotence
assert:
that: "not key_idempotence.changed"
- name: check GPG signature of sl. Should return okay
shell: "rpm --checksig /tmp/sl.rpm"
register: sl_check
- name: confirm that signature check succeeded
assert:
that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout"
- name: remove GPG key from url
rpm_key:
state: absent
key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
- name: Confirm key is missing
shell: "rpm --checksig /tmp/sl.rpm"
register: sl_check
ignore_errors: yes
- name: confirm that signature check failed
assert:
that:
- "'MISSING KEYS' in sl_check.stdout or 'SIGNATURES NOT OK' in sl_check.stdout"
- "sl_check.failed"
- name: add GPG key from url
rpm_key:
state: present
key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
- name: check GPG signature of sl. Should return okay
shell: "rpm --checksig /tmp/sl.rpm"
register: sl_check
- name: confirm that signature check succeeded
assert:
that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout"
- name: remove all keys from key ring
shell: "rpm -q gpg-pubkey | xargs rpm -e"
- name: add very first key on system
rpm_key:
state: present
key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
- name: check GPG signature of sl. Should return okay
shell: "rpm --checksig /tmp/sl.rpm"
register: sl_check
- name: confirm that signature check succeeded
assert:
that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout"
- name: Issue 20325 - Verify fingerprint of key, invalid fingerprint - EXPECTED FAILURE
rpm_key:
key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
fingerprint: 1111 1111 1111 1111 1111 1111 1111 1111 1111 1111
register: result
failed_when: result is success
- name: Issue 20325 - Assert Verify fingerprint of key, invalid fingerprint
assert:
that:
- result is success
- result is not changed
- "'does not match the key fingerprint' in result.msg"
- name: Issue 20325 - Verify fingerprint of key, valid fingerprint
rpm_key:
key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
fingerprint: EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6
register: result
- name: Issue 20325 - Assert Verify fingerprint of key, valid fingerprint
assert:
that:
- result is success
- result is changed
- name: Issue 20325 - Verify fingerprint of key, valid fingerprint - Idempotent check
rpm_key:
key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
fingerprint: EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6
register: result
- name: Issue 20325 - Assert Verify fingerprint of key, valid fingerprint - Idempotent check
assert:
that:
- result is success
- result is not changed
#
# Cleanup
#
- name: remove all keys from key ring
shell: "rpm -q gpg-pubkey | xargs rpm -e"
- name: Restore the gpg keys normally installed on the system
command: 'rpm --import {{ remote_tmp_dir }}/pubkeys'
- name: Retrieve a list of gpg keys are installed for package checking
shell: 'rpm -q gpg-pubkey | sort'
register: new_list_of_pubkeys
- name: Confirm that we've restored all the pubkeys
assert:
that:
- 'list_of_pubkeys["stdout"] == new_list_of_pubkeys["stdout"]'
|
