/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-official

[ChandlerSwift]

Describe the Issue
Task 1.2.2 fails on the absence of /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-official, which doesn't exist (we're using RHEL image Azure provides for their VMs, which has RPM-GPG-KEY-redhat-release instead):

[me@host ~]$ ls /etc/pki/rpm-gpg/
ISV-Container-signing-key  RPM-GPG-KEY-microsoft-azure-release  RPM-GPG-KEY-redhat-beta  RPM-GPG-KEY-redhat-release
[me@host ~]$ cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.5 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.5"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.5 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.5
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.5"

This appears to be a regression introduced in ceb1545, which changed -release to -official.

Expected Behavior
The task runs successfully.

Actual Behavior

TASK [RHEL8-CIS : 1.2.2 | AUDIT | Ensure GPG keys are configured] *****************************************************************************************************
fatal: [host]: FAILED! => {"changed": true, "cmd": ["gpg", "--quiet", "--with-fingerprint", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-official"], "delta": "0:00:00.056419", "end": "2022-04-22 21:34:12.113110", "msg": "non-zero return code", "rc": 2, "start": "2022-04-22 21:34:12.056691", "stderr": "gpg: can't open '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-official'", "stderr_lines": ["gpg: can't open '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-official'"], "stdout": "", "stdout_lines": []}

Control(s) Affected

• 1.2.2

Environment (please complete the following information):

$ ansible-playbook --version
ansible-playbook [core 2.12.4.post0]
  config file = /ansible/ansible.cfg
  configured module search path = ['/home/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.8/site-packages/ansible
  ansible collection location = /home/runner/.ansible/collections:/ansible/collections
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.8.12 (default, Sep 21 2021, 00:10:52) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]
  jinja version = 3.1.1
  libyaml = True

On the targeted version:

[me@host ~]$ python3 --version
Python 3.6.8

Additional Notes
Unfortunately, since this is defined in vars/ and not in defaults/, It's not easily overridden since role vars take preference over group_vars, host_vars, and play vars. (I did end up being able to override it by passing a var to the role.)

Possible Solution
Change -official back to -release. I'm happy to submit a PR to do this if you'd like! However, since we're running Azure's flavor of RHEL and I don't have a base redhat install to test against, I decided to hold off on a PR to avoid potentially breaking other systems.

[uk-bolly]

Hi @ChandlerSwift

Thank you for taking the time to raise this issue, I am hoping we can get this merged in to devel this week along with a few other issues that have recently been raised.

Regards

uk-bolly

[georgenalen]

This was addressed in release 2.1.0