-
Notifications
You must be signed in to change notification settings - Fork 23.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make rpm_key aware of multiple keys in a keyfile #75251
Conversation
Google makes a RPM key file containing multiple public keys publicly avaiable which is great for making sure ansible's rpm_key module can handle multiple keys being present in a single file.
Multiple keys can be concatenated into a single file however. This aims to make the module check for multiple key fingerprints beng present in a single file. This also allows for a list of fingerprints to be passed to module arguments for verification. If there's any mismatch, then the module throws an error.
- name: Issue 50615 - Verify key fingerprints. This should fail due to multiple key signatures | ||
rpm_key: | ||
# TODO: This needs to be rehosted on ansible CI infra | ||
key: https://dl.google.com/linux/linux_signing_key.pub |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
key: https://dl.google.com/linux/linux_signing_key.pub | |
key: https://ansible-ci-files.s3.amazonaws.com/test/integration/targets/rpm_key/linux_signing_key.pub |
- name: Issue 50615 - Add Google GPG keys to system | ||
rpm_key: | ||
# TODO: This needs to be rehosted on ansible CI infra | ||
key: https://dl.google.com/linux/linux_signing_key.pub |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
key: https://dl.google.com/linux/linux_signing_key.pub | |
key: https://ansible-ci-files.s3.amazonaws.com/test/integration/targets/rpm_key/linux_signing_key.pub |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will also require a changelog in changelogs/fragments/
return True | ||
for keyid in keyids: | ||
if keyid in line.split(':')[4]: | ||
matching_keys += 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're concerned about the potential edge cases where this may return a false positive. I think we'd be more comfortable, if we actually tracked the matching keys, and compared them against the actual content of keyids
instead of asserting the lengths are equal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point! I'll update this so it does an actual comparison.
- name: Issue 50615 - Verify key fingerprints. This should fail due to multiple key signatures | ||
rpm_key: | ||
# TODO: This needs to be rehosted on ansible CI infra | ||
key: https://dl.google.com/linux/linux_signing_key.pub |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll need to get these uploaded to our S3 bucket. cc @samdoran
elif ret.startswith('0X'): | ||
normalized_keyids.append(ret[2:]) | ||
else: | ||
normalized_keyids.append(ret) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we maybe keep normalize_keyid
and create a normalize_keyids
that calls the singular version. That can make unit testing of this function in the future easier.
I let this go stale; I'll redo it and resubmit in a new PR. |
SUMMARY
Fixes #50615.
Make
rpm_key
module use lists for key ids since a single key file can contain multiple keys.I also made the fingerprint option accept lists of fingerprints since they correspond with key ids. All fingerprints in a keyfile should be present when the fingerprints option is set for task success.
ISSUE TYPE
COMPONENT NAME
rpm_key
ADDITIONAL INFORMATION
Example:
The rpm_key module only checked for the presence of the first key in a file when importing keys from files. This meant that in cases where a single file contained multiple keys it was possible for later keys to not be imported if the first key in a key file was already installed. It could also mean that multiple keys could be installed even when only expecting a single key in a file.