ansible.builtin.rpm_key fails in certain cases when deleting a key

[kkeane]

Summary

When deleting a key by key ID that has already been deleted, rpm_key will fail.

Issue Type

Bug Report

Component Name

rpm_key

Ansible Version

$ ansible --version
ansible [core 2.12.9]
  config file = None
  configured module search path = ['/home/kkeane/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/kkeane/.virtualenvs/ansible5.4/lib64/python3.9/site-packages/ansible
  ansible collection location = /home/kkeane/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/kkeane/.virtualenvs/ansible5.4/bin/ansible
  python version = 3.9.14 (main, Nov  7 2022, 00:00:00) [GCC 11.3.1 20220421 (Red Hat 11.3.1-2)]
  jinja version = 3.1.2
  libyaml = True

Configuration

# if using a version older than ansible-core 2.12 you should omit the '-t all'
$ ansible-config dump --only-changed -t all
ANSIBLE_NOCOWS(env: ANSIBLE_NOCOWS) = True

BECOME:
======

CACHE:
=====

CALLBACK:
========

CLICONF:
=======

CONNECTION:
==========

HTTPAPI:
=======

INVENTORY:
=========

LOOKUP:
======

NETCONF:
=======

SHELL:
=====

VARS:
====

OS / Environment

RHEL 8

Steps to Reproduce

# The key in this example is an old SHA1 key for the Zoom conferencing software that is deprecated.
# The key is available from https://zoom.us/linux/download/pubkey
- name: Remove outdated GPG key
  become: true
  rpm_key:
    state: absent
    key:   gpg-pubkey-61a7c71d-55740c4b
# ignore errors so we always execute the second attempt
ignore_errors: true

- name: Remove outdated GPG key
  become: true
  rpm_key:
    state: absent
    key:   gpg-pubkey-61a7c71d-55740c4b

Expected Results

The first call to rpm_key should return failed=false and changed either true or false as appropriate
The second call to rpm_key should returned failed=false and changed=false

Actual Results

The first call will return either failed=false and changed=true if the key exists, or failed=true if the key is missing.
The second call will always return failed=true.

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibot]

Files identified in the description:

• lib/ansible/modules/rpm_key.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[gryu7]

@kkeane
Hi, I checked your playbook and I got same result.
However, I found out why your playbook work unexpected.

In ansible.builtin.rpm_key module, you should input keyid as key parameter.
In your case, keyid is 61a7c71d which is the part of value you input.
Could you check whether it works as your expected using this keyid?

[kkeane]

Thank you - that is interesting to know (and a very quick response). I'll check this later today, but trust that you are right.

Maybe the documentation can be improved to clarify this, or rpm_key can be updated to also handle the provided string?

The confusion comes from the corresponding Linux utility rpmkeys; it documents the nearly opposite behavior in its man page (from RHEL 9.1):

Finally, public keys can be erased after importing just like packages. Here's how to remove the Red Hat GPG/DSA key

rpm -e gpg-pubkey-db42a60e

Granted, the module and the utility are two unrelated things, and man rpmkeys does not use the term keyid, but such a different behavior is still surprising.

[mkrizek]

needs_info

[kkeane]

@gryu7 you are right, it appears that the keyid works.

I think that should change this from a bug report to a feature request?

[gryu7]

I'm not sure whether we should change the key value to key like 'gpg-pubkey-61a7c71d-55740c4b' from keyid.
I think we have 2 option.

1. Change the key value to key like 'gpg-pubkey-61a7c71d-55740c4b'.
2. Change the document clearly.

I think it would be a good idea to ask for opinions on how to do this issue on the mailing list here.

[kkeane]

On item 1: Remember that gpg-pubkey-XXXX-XXXX is already supported, just not correctly. So the key value probably needs support both keyids and gpg-pubkey-XXXX-XXXX to avoid a breaking change. Sent with [Proton Mail](https://proton.me/) secure email.

…

------- Original Message -------

On Friday, December 16th, 2022 at 5:28 AM, gryu7 ***@***.***> wrote: I'm not sure whether we should change the key value to key like 'gpg-pubkey-61a7c71d-55740c4b' from keyid. I think we have 2 option. - Change the key value to key like 'gpg-pubkey-61a7c71d-55740c4b'. - Change the document clearly. I think it would be a good idea to ask for opinions on how to do this issue on the mailing list [here](https://groups.google.com/forum/#!forum/ansible-devel). — Reply to this email directly, [view it on GitHub](#79585 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AABY5OX4IQ3MNY6AI4S3MVDWNP4YXANCNFSM6AAAAAAS4RJ2ZU). You are receiving this because you were mentioned.Message ID: ***@***.***>