From 1c0723ba34bfb70654402cc42dc249f20688ca34 Mon Sep 17 00:00:00 2001
From: Sviatoslav Sydorenko <wk@sydorenko.org.ua>
Date: Wed, 20 Jul 2022 22:20:31 +0200
Subject: [2.11-only] Prepare Alpine signing keys for installs from edge
 (#78311)

* Add a note on installing faketime on Alpine in CI

(cherry picked from commit d7e3c765be89ae3d155c00198c12dedf14d65816)

* Add note about libuser being unavailable @ Alpine

* Prepare Alpine signing keys for installs from edge

Before this patch, the Ansible Core CI Alpine image integrated into
this branch only had old package signing keys pre-installed.
On July 14, 2022, Apline has rotated their RSA keys to the new
4096-bit ones[1]. This resulted in older unprepared systems being
unable to verify package downloads, causing the following in the logs:

    ERROR: http://dl-cdn.alpinelinux.org/alpine/edge/community:
    UNTRUSTED signature

This patch updates the system-trusted keys by upgrading the
`alpine-keys` package to the latest version. With the change, the old
package installs succeed again. In particular, this concerns the
`faketime` and `libuser` packages that are used in `group` and
`setup_cron` integration tests.

This change is only applied to ansible-core 2.11 since all the newer
release streams have an updated version of the Alpine container that
does not need this hack.

[1]: https://www.alpinelinux.org/posts/Alpine-edge-signing-keys-rotated.html
---
 test/integration/targets/group/tasks/tests.yml     | 10 +++++++++-
 test/integration/targets/setup_cron/tasks/main.yml | 11 ++++++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/test/integration/targets/group/tasks/tests.yml b/test/integration/targets/group/tasks/tests.yml
index a724c9dfae..862407cbde 100644
--- a/test/integration/targets/group/tasks/tests.yml
+++ b/test/integration/targets/group/tasks/tests.yml
@@ -211,7 +211,15 @@
     - user_test_local_mode
 
 - name: Ensure lgroupadd is present - Alpine
-  command: apk add -U libuser --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community
+  block:
+    - name: Get the latest Alpine package signing keys
+      command: apk add -U -l -u alpine-keys
+      tags:
+        - user_test_local_mode
+    - name: Install libuser - Alpine
+      command: apk add -U libuser --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community
+      tags:
+        - user_test_local_mode
   when: ansible_distribution == 'Alpine'
   tags:
     - user_test_local_mode
diff --git a/test/integration/targets/setup_cron/tasks/main.yml b/test/integration/targets/setup_cron/tasks/main.yml
index c5a988e0a5..b99abd6fd9 100644
--- a/test/integration/targets/setup_cron/tasks/main.yml
+++ b/test/integration/targets/setup_cron/tasks/main.yml
@@ -27,7 +27,16 @@
       when: ansible_distribution != 'Alpine'
 
     - name: install faketime packages - Alpine
-      command: apk add -U {{ faketime_pkg }} --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing
+      # NOTE: The `faketime` package is currently only available in the
+      # NOTE: `edge` branch.
+      # FIXME: If it ever becomes available in the `main` repository for
+      # FIXME: currently tested Alpine versions, the `--repository=...`
+      # FIXME: option can be dropped.
+      block:
+        - name: Get the latest Alpine package signing keys
+          command: apk add -U -l -u alpine-keys
+        - name: Install {{ faketime_pkg }} - Alpine
+          command: apk add -U {{ faketime_pkg }} --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing
       when: ansible_distribution == 'Alpine'
 
     - name: Find libfaketime path
-- 
cgit v1.2.1