Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Binary GnuPG keys downloaded by 'ansible.builtin.apt_key' were corrupted #74474

Merged
merged 1 commit into from Apr 28, 2021
Merged

Binary GnuPG keys downloaded by 'ansible.builtin.apt_key' were corrupted #74474

merged 1 commit into from Apr 28, 2021

Conversation

maximmasiutin
Copy link
Contributor

@maximmasiutin maximmasiutin commented Apr 28, 2021
edited

SUMMARY

When importing a key by the apt_key module, it gets corrupted and not imported in the case of a binary key (not a textual “armored” key). Ansible tries to convert string data, but some data is lost on conversion, which results in a GnuPG error. This is a bug because binary data should not be converted using the to_native function.

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

ansible.builtin.apt_key module

ADDITIONAL INFORMATION

Fixes #74424

Augmented by #74483

To reproduce this error, create the following files:

Fie Vagrantfile file:

Vagrant.configure("2") do |config|
  config.vm.base_mac = nil
  config.vm.synced_folder ".", "/vagrant", disabled: false

  config.vm.define "test-host" do |n|
    n.vm.box = "ubuntu/bionic64"
    n.vm.hostname = "test-host"
    n.vm.provision :ansible do |ansible|
      ansible.limit = "all"
      ansible.playbook = "test.yaml"
    end
  end
end

The test.yaml file:

- name: Test Playbook
  hosts: test-host
  become: yes
  tasks:
    - name: Add binary key
      apt_key: url=https://packages.cloud.google.com/apt/doc/apt-key.gpg
      register: apt_key_binary_test

    - name: Validate the results
      assert:
        that:
          - 'apt_key_binary_test.changed is defined'
          - 'apt_key_binary_test.changed'

and run vagrant up

Expected Results:

Key imported without a problem

Actual Results:

fatal: [master]: FAILED! => {"changed": false, "msg": "Unable to extract key from '-'", "stderr": "gpg: WARNING: no command supplied.  Trying to guess what you mean ...\ngpg: [don't know]: invalid packet (ctb=0a)\n", "stderr_lines": ["gpg: WARNING: no command supplied.  Trying to guess what you mean ...", "gpg: [don't know]: invalid packet (ctb=0a)"], "stdout": "pub:-:2048:1:FEEA9169307EA071:1614614617:1677728521::-:\nuid:::::::::Rapture Automatic Signing Key (cloud-rapture-signing-key-2021-03-01-08_01_09.pub):\nsub:-:2048:1:AA42F36EE8BEEE0E:1614614617::::\npub:-:2048:1:8B57C5C2836F4BEB:1607040606:1670154510::-:\nuid:::::::::gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <glinux-team@google.com>:\nsub:-:2048:1:48419E688DD52AC0:1607040606::::\n", "stdout_lines": ["pub:-:2048:1:FEEA9169307EA071:1614614617:1677728521::-:", "uid:::::::::Rapture Automatic Signing Key (cloud-rapture-signing-key-2021-03-01-08_01_09.pub):", "sub:-:2048:1:AA42F36EE8BEEE0E:1614614617::::", "pub:-:2048:1:8B57C5C2836F4BEB:1607040606:1670154510::-:", "uid:::::::::gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <glinux-team@google.com>:", "sub:-:2048:1:48419E688DD52AC0:1607040606::::"]}

Relevant file:
lib/ansible/modules/apt_key.py

@ansibot ansibot added affects_2.12 core_review In order to be merged, this PR must follow the core review workflow. module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. new_contributor This PR is the first contribution by a new community member. small_patch support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Apr 28, 2021
@maximmasiutin maximmasiutin mentioned this pull request Apr 28, 2021
Closed
1 task
@maximmasiutin
Copy link
Contributor Author

ready_for_review

@maximmasiutin
Binary GnuPG keys downloaded via URLs by the 'ansible.builtin.apt_key…
0375070 
…' module were corrupted so 'gpg' could not import them (ansible#74424)
@ansibot ansibot added needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. core_review In order to be merged, this PR must follow the core review workflow. and removed core_review In order to be merged, this PR must follow the core review workflow. needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Apr 28, 2021
@maximmasiutin maximmasiutin mentioned this pull request Apr 28, 2021
Closed
@bcoca bcoca merged commit 3bc2e77 into ansible:devel Apr 28, 2021
@bcoca bcoca removed the needs_triage Needs a first human triage before being processed. label Apr 28, 2021
@maximmasiutin maximmasiutin changed the title Binary GnuPG keys downloaded ansible.builtin.apt_key were corrupted Binary GnuPG keys downloaded by 'ansible.builtin.apt_key' were corrupted Apr 28, 2021
maximmasiutin added a commit to maximmasiutin/ansible that referenced this pull request Apr 28, 2021
@maximmasiutin
Binary GnuPG keys downloaded via URLs by the 'ansible.builtin.apt_key…
9a7d21a 
…' module were corrupted so 'gpg' could not import them (ansible#74424) (ansible#74474)
This was referenced Apr 28, 2021
Merged
Merged
@sivel sivel mentioned this pull request May 19, 2021
Closed
1 task
@ansible ansible locked and limited conversation to collaborators May 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
affects_2.12 core_review In order to be merged, this PR must follow the core review workflow. has_issue module This issue/PR relates to a module. new_contributor This PR is the first contribution by a new community member. support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The ansible.builtin.apt_key module corrupts binary keys before importing them so import always fails
3 participants
@maximmasiutin @bcoca @ansibot