forked from ansible/ansible
-
Notifications
You must be signed in to change notification settings - Fork 0
/
gpg.yml
78 lines (66 loc) · 1.78 KB
/
gpg.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# Set up a repo of unsigned rpms
- block:
- set_fact:
pkg_name: langtable
pkg_repo_dir: "{{ remote_tmp_dir }}/unsigned"
- name: Ensure our test package isn't already installed
dnf:
name:
- '{{ pkg_name }}'
state: absent
- name: Install rpm-sign
dnf:
name:
- rpm-sign
state: present
- name: Create directory to use as local repo
file:
path: "{{ pkg_repo_dir }}"
state: directory
- name: Download the test package
dnf:
name: '{{ pkg_name }}'
state: latest
download_only: true
download_dir: "{{ pkg_repo_dir }}"
- name: Unsign the RPM
shell: rpmsign --delsign {{ remote_tmp_dir }}/unsigned/{{ pkg_name }}*
- name: createrepo
command: createrepo .
args:
chdir: "{{ pkg_repo_dir }}"
- name: Add the repo
yum_repository:
name: unsigned
description: unsigned rpms
baseurl: "file://{{ pkg_repo_dir }}"
# we want to ensure that signing is verified
gpgcheck: true
- name: Install test package
dnf:
name:
- "{{ pkg_name }}"
disablerepo: '*'
enablerepo: unsigned
register: res
ignore_errors: yes
- assert:
that:
- res is failed
- "'Failed to validate GPG signature' in res.msg"
- "'is not signed' in res.msg"
always:
- name: Remove rpm-sign (and test package if it got installed)
dnf:
name:
- rpm-sign
- "{{ pkg_name }}"
state: absent
- name: Remove test repo
yum_repository:
name: unsigned
state: absent
- name: Remove repo dir
file:
path: "{{ pkg_repo_dir }}"
state: absent