diff options
author | Sviatoslav Sydorenko <wk@sydorenko.org.ua> | 2022-07-20 22:20:31 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-20 13:20:31 -0700 |
commit | 1c0723ba34bfb70654402cc42dc249f20688ca34 (patch) | |
tree | c1d9956047689f4e152d72281ce189f7429f8ce2 | |
parent | c96ea44797bd82318814eeddd1c851f2d49536b3 (diff) | |
download | ansible-1c0723ba34bfb70654402cc42dc249f20688ca34.tar.gz |
[2.11-only] Prepare Alpine signing keys for installs from edge (#78311)
* Add a note on installing faketime on Alpine in CI
(cherry picked from commit d7e3c765be89ae3d155c00198c12dedf14d65816)
* Add note about libuser being unavailable @ Alpine
* Prepare Alpine signing keys for installs from edge
Before this patch, the Ansible Core CI Alpine image integrated into
this branch only had old package signing keys pre-installed.
On July 14, 2022, Apline has rotated their RSA keys to the new
4096-bit ones[1]. This resulted in older unprepared systems being
unable to verify package downloads, causing the following in the logs:
ERROR: http://dl-cdn.alpinelinux.org/alpine/edge/community:
UNTRUSTED signature
This patch updates the system-trusted keys by upgrading the
`alpine-keys` package to the latest version. With the change, the old
package installs succeed again. In particular, this concerns the
`faketime` and `libuser` packages that are used in `group` and
`setup_cron` integration tests.
This change is only applied to ansible-core 2.11 since all the newer
release streams have an updated version of the Alpine container that
does not need this hack.
[1]: https://www.alpinelinux.org/posts/Alpine-edge-signing-keys-rotated.html
-rw-r--r-- | test/integration/targets/group/tasks/tests.yml | 10 | ||||
-rw-r--r-- | test/integration/targets/setup_cron/tasks/main.yml | 11 |
2 files changed, 19 insertions, 2 deletions
diff --git a/test/integration/targets/group/tasks/tests.yml b/test/integration/targets/group/tasks/tests.yml index a724c9dfae..862407cbde 100644 --- a/test/integration/targets/group/tasks/tests.yml +++ b/test/integration/targets/group/tasks/tests.yml @@ -211,7 +211,15 @@ - user_test_local_mode - name: Ensure lgroupadd is present - Alpine - command: apk add -U libuser --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community + block: + - name: Get the latest Alpine package signing keys + command: apk add -U -l -u alpine-keys + tags: + - user_test_local_mode + - name: Install libuser - Alpine + command: apk add -U libuser --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community + tags: + - user_test_local_mode when: ansible_distribution == 'Alpine' tags: - user_test_local_mode diff --git a/test/integration/targets/setup_cron/tasks/main.yml b/test/integration/targets/setup_cron/tasks/main.yml index c5a988e0a5..b99abd6fd9 100644 --- a/test/integration/targets/setup_cron/tasks/main.yml +++ b/test/integration/targets/setup_cron/tasks/main.yml @@ -27,7 +27,16 @@ when: ansible_distribution != 'Alpine' - name: install faketime packages - Alpine - command: apk add -U {{ faketime_pkg }} --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing + # NOTE: The `faketime` package is currently only available in the + # NOTE: `edge` branch. + # FIXME: If it ever becomes available in the `main` repository for + # FIXME: currently tested Alpine versions, the `--repository=...` + # FIXME: option can be dropped. + block: + - name: Get the latest Alpine package signing keys + command: apk add -U -l -u alpine-keys + - name: Install {{ faketime_pkg }} - Alpine + command: apk add -U {{ faketime_pkg }} --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing when: ansible_distribution == 'Alpine' - name: Find libfaketime path |