diff options
author | Martin Krizek <martin.krizek@gmail.com> | 2023-04-25 16:11:32 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-04-25 09:11:32 -0500 |
commit | 78eecfb9dc503a2eadb66404451318ebffe2d7d9 (patch) | |
tree | cfac0bb55ffb5992f102969741194ec6db180789 | |
parent | 53fd504935812fdb65e5ae9c156009efbafaad7f (diff) | |
download | ansible-78eecfb9dc503a2eadb66404451318ebffe2d7d9.tar.gz |
dnf5: use new API to check package signatures (#80609) (#80622)
(cherry picked from commit 36df60e2265f417d6211f30b10691dc8ae685d2c)
-rw-r--r-- | changelogs/fragments/dnf5-gpg-check-api.yml | 2 | ||||
-rw-r--r-- | lib/ansible/modules/dnf5.py | 25 |
2 files changed, 8 insertions, 19 deletions
diff --git a/changelogs/fragments/dnf5-gpg-check-api.yml b/changelogs/fragments/dnf5-gpg-check-api.yml new file mode 100644 index 0000000000..c2b2ac6f05 --- /dev/null +++ b/changelogs/fragments/dnf5-gpg-check-api.yml @@ -0,0 +1,2 @@ +bugfixes: + - dnf5 - Use ``transaction.check_gpg_signatures`` API call to check package signatures AND possibly to recover from when keys are missing. diff --git a/lib/ansible/modules/dnf5.py b/lib/ansible/modules/dnf5.py index 6efa2a47fd..53dd57d49b 100644 --- a/lib/ansible/modules/dnf5.py +++ b/lib/ansible/modules/dnf5.py @@ -662,9 +662,6 @@ class Dnf5Module(YumDnf): action = libdnf5.base.transaction.transaction_item_action_to_string(pkg.get_action()) results.append("{}: {}".format(actions_compat_map.get(action, action), pkg.get_package().get_nevra())) - result_to_str = { - libdnf5.rpm.RpmSignature.CheckResult_FAILED_NOT_SIGNED: "package is not signed", - } msg = "" if self.module.check_mode: if results: @@ -672,22 +669,12 @@ class Dnf5Module(YumDnf): else: transaction.download(self.download_dir or "") if not self.download_only: - for pkg in transaction.get_transaction_packages(): - if not self.disable_gpg_check: - result = libdnf5.rpm.RpmSignature(base).check_package_signature(pkg.get_package()) - if result == libdnf5.rpm.RpmSignature.CheckResult_FAILED_NOT_SIGNED: - self.module.fail_json( - msg="Failed to validate GPG signature for {}: {}".format(pkg.get_package().get_nevra(), result_to_str.get(result, result)), - failures=[], - rc=1, - ) - if result in { - libdnf5.rpm.RpmSignature.CheckResult_FAILED_KEY_MISSING, - libdnf5.rpm.RpmSignature.CheckResult_FAILED_NOT_TRUSTED, - libdnf5.rpm.RpmSignature.CheckResult_FAILED - }: - # FIXME https://github.com/rpm-software-management/dnf5/issues/386 - pass + if not self.disable_gpg_check and not transaction.check_gpg_signatures(): + self.module.fail_json( + msg="Failed to validate GPG signatures: {}".format(",".join(transaction.get_gpg_signature_problems())), + failures=[], + rc=1, + ) transaction.set_description("ansible dnf5 module") result = transaction.run() |