ISSUE TYPE

• Bug Report

COMPONENT NAME

ansible/modules/packaging/os/rpm_key.py

ANSIBLE VERSION

ansible 2.2.1.0

CONFIGURATION

not relevant

OS / ENVIRONMENT

N/A
Redhat/Centos rpm-based

SUMMARY

Function is_key_imported does not work reliably because
Function getkeyid only extracts the last part of the first signature packet,ignoring the significant other ids
therefore the key will be imported on every ansible run

STEPS TO REPRODUCE

Install the Mono gpg key (from the Ubuntu keyserver, as per official docu):

http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF

Short Summary:

getkeyid() essentially runs
gpg --no-tty --batch --with-colons --fixed-list-mode --list-packets /tmp/key.1 |grep signature
And returns the last 8 characters of the first key id it finds:
90E1FAD0C
instead of all keyids in this package:

C90F9CB90E1FAD0C
01150A655BBD8102
A6A19B38D3D831EF
A6A19B38D3D831EF

Then is_key_imported() runs
rpm -qa gpg-pubkey and matches the keyid against the first key part of the filename:
gpg-pubkey-d3d831ef-53dfa827

This does'nt work with the Mono key because the partial keyid in the filename is from the second keyid in the key

Possible Solutions:

Perhaps verifying the Fingerprint of the keys, or
verify the full key ids:
Fetching the full 16 Character key-ids (all of them not just the first)
and verify them against all installed key ids (not just rpm names)
by listing all installed gpgkeys and extracting the keyids in the same way, as the are extracted from the reference keys:
rpm -qa gpg-pubkey --qf "%{description}"| gpg --no-tty --batch --with-colons --fixed-list-mode --list-packets -