-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rpm_key key_id verification erroneous #23558
Labels
affects_2.2
This issue/PR affects Ansible v2.2
bug
This issue/PR relates to a bug.
module
This issue/PR relates to a module.
support:core
This issue/PR relates to code supported by the Ansible Engineering Team.
Comments
ansibot
added
affects_2.2
This issue/PR affects Ansible v2.2
bug_report
module
This issue/PR relates to a module.
needs_triage
Needs a first human triage before being processed.
labels
Apr 13, 2017
ansibot
added
affects_2.2
This issue/PR affects Ansible v2.2
bug_report
module
This issue/PR relates to a module.
needs_triage
Needs a first human triage before being processed.
labels
Apr 13, 2017
nitzmahone
removed
the
needs_triage
Needs a first human triage before being processed.
label
Apr 13, 2017
schwatvogel
pushed a commit
to schwatvogel/ansible
that referenced
this issue
Apr 18, 2017
changed to "full key" comparison instead of "short keyid to rpm-filename" changed rpm keyid extraction method
ansibot
added
the
support:core
This issue/PR relates to code supported by the Ansible Engineering Team.
label
Jun 29, 2017
schwatvogel
pushed a commit
to schwatvogel/ansible
that referenced
this issue
Aug 2, 2017
changed to "full key" comparison instead of "short keyid to rpm-filename" changed rpm keyid extraction method
abadger
pushed a commit
that referenced
this issue
Aug 9, 2017
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
affects_2.2
This issue/PR affects Ansible v2.2
bug
This issue/PR relates to a bug.
module
This issue/PR relates to a module.
support:core
This issue/PR relates to code supported by the Ansible Engineering Team.
ISSUE TYPE
COMPONENT NAME
ansible/modules/packaging/os/rpm_key.py
ANSIBLE VERSION
CONFIGURATION
not relevant
OS / ENVIRONMENT
N/A
Redhat/Centos rpm-based
SUMMARY
Function is_key_imported does not work reliably because
Function getkeyid only extracts the last part of the first signature packet,ignoring the significant other ids
therefore the key will be imported on every ansible run
STEPS TO REPRODUCE
Install the Mono gpg key (from the Ubuntu keyserver, as per official docu):
Short Summary:
getkeyid()
essentially runsgpg --no-tty --batch --with-colons --fixed-list-mode --list-packets /tmp/key.1 |grep signature
And returns the last 8 characters of the first key id it finds:
90E1FAD0C
instead of all keyids in this package:
Then
is_key_imported()
runsrpm -qa gpg-pubkey
and matches the keyid against the first key part of the filename:gpg-pubkey-d3d831ef-53dfa827
This does'nt work with the Mono key because the partial keyid in the filename is from the second keyid in the key
Possible Solutions:
Perhaps verifying the Fingerprint of the keys, or
verify the full key ids:
Fetching the full 16 Character key-ids (all of them not just the first)
and verify them against all installed key ids (not just rpm names)
by listing all installed gpgkeys and extracting the keyids in the same way, as the are extracted from the reference keys:
rpm -qa gpg-pubkey --qf "%{description}"| gpg --no-tty --batch --with-colons --fixed-list-mode --list-packets -
The text was updated successfully, but these errors were encountered: