Ansible:从 RPM Fusion 导入 GPG 密钥不起作用

Ansible: Importing GPG-keys from RPM Fusion not working

我正在尝试创建一个任务以从官方 RPM Fusion 站点下载和导入 GPG 密钥,但它失败了。

- hosts: localhost
  connection: local
  name: DOWNLOADING AND IMPORTING SECURITY KEYS
  tasks:
    - name: Downloading the security key for RPM Fusion (free) repo
      get_url:
        url: https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-free-fedora-2020
        dest: ~/Downloads/free_keys.txt

    - name: Importing (free) key
      ansible.builtin.rpm_key:
        state: present
        key: ~/Downloads/free_keys.txt

    - name: Deleting security key file (free)
      ansible.builtin.file:
        path: ~/Downloads/free_keys.txt
        state: absent

    - name: Downloading the security key for RPM Fusion (non-free) repo
      get_url:
        url: https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020
        dest: ~/Downloads/nonfree_keys.txt

    - name: Importing (non-free) key
      ansible.builtin.rpm_key:
        state: present
        key: ~/Downloads/nonfree_keys.txt

    - name: Deleting security key file (non-free)
      ansible.builtin.file:
        path: ~/Downloads/nonfree_keys.txt
        state: absent

这是输出:

TASK [Gathering Facts] *********************************************************
ok: [localhost]

TASK [Downloading the security key for RPM Fusion (free) repo] *****************
changed: [localhost] => {"changed": true, "checksum_dest": null, "checksum_src": "554f50b16f9cf421f7caf02ce83c9069fd399b0e", "dest": "/home/[REDACTED]/Downloads/free_keys.txt", "elapsed": 0, "gid": 1000, "group": "[REDACTED]", "md5sum": "7206830528e4e9fb61d52dafc4e32ed1", "mode": "0664", "msg": "OK (1704 bytes)", "owner": "[REDACTED]", "secontext": "unconfined_u:object_r:user_home_t:s0", "size": 1704, "src": "/home/[REDACTED]/.ansible/tmp/ansible-tmp-1623521488.9204922-9892-237385967611488/tmp38djamsm", "state": "file", "status_code": 200, "uid": 1000, "url": "https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-free-fedora-2020"}

TASK [Importing (free) key] ****************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Not a valid key ~/Downloads/free_keys.txt"}

PLAY RECAP *********************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

到目前为止,我已尝试将密钥下载为 .txt.gpg 格式,但这些方法中的 none 有效。非常感谢任何建议。

编辑: 回答您的问题:

1.

TASK [Importing (free) key] ****************************************************
task path: /home/[REDACTED]/Documents/ansible-playbooks/for_laptops/dell_e7270/import_keys.yml:11
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: [REDACTED]
<127.0.0.1> EXEC /bin/sh -c 'echo ~[REDACTED] && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/[REDACTED]/.ansible/tmp `"&& mkdir "` echo /home/[REDACTED]/.ansible/tmp/ansible-tmp-1623533463.7691412-3758-92960382692038 `" && echo ansible-tmp-1623533463.7691412-3758-92960382692038="` echo /home/[REDACTED]/.ansible/tmp/ansible-tmp-1623533463.7691412-3758-92960382692038 `" ) && sleep 0'
Using module file /usr/lib/python3.9/site-packages/ansible/modules/packaging/os/rpm_key.py
<127.0.0.1> PUT /home/[REDACTED]/.ansible/tmp/ansible-local-3682vs8hkmey/tmpjamn9upp TO /home/[REDACTED]/.ansible/tmp/ansible-tmp-1623533463.7691412-3758-92960382692038/AnsiballZ_rpm_key.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/[REDACTED]/.ansible/tmp/ansible-tmp-1623533463.7691412-3758-92960382692038/ /home/[REDACTED]/.ansible/tmp/ansible-tmp-1623533463.7691412-3758-92960382692038/AnsiballZ_rpm_key.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3 /home/[REDACTED]/.ansible/tmp/ansible-tmp-1623533463.7691412-3758-92960382692038/AnsiballZ_rpm_key.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/[REDACTED]/.ansible/tmp/ansible-tmp-1623533463.7691412-3758-92960382692038/ > /dev/null 2>&1 && sleep 0'
fatal: [localhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "fingerprint": null,
            "key": "~/Downloads/free_keys",
            "state": "present",
            "validate_certs": true
        }
    },
    "msg": "Not a valid key ~/Downloads/free_keys"
}
  1. 键是this link中'Fedora 34'下面的键。
  2. 是的,下载的密钥是这样的。
  3. 不幸的是,更改权限无效。

看起来解决方案可能是在安装 RPM Fusion 之前从官方存储库下载 distribution-gpg-keys

  1. 尝试使用非常详细的日志记录启动 ansible
    /bin/ansible-playbook import_gpg.yml -vvvv
  1. 据我所知,现在是 2021 年,根据 URL (https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020) 判断,密钥似乎是为 2020 年发行的。

我认为您已经下载并尝试导入过期密钥。

  1. 你能验证你下载的文件看起来像 GPG 密钥吗? 东西,看起来像这样:
-----BEGIN PGP PUBLIC KEY BLOCK-----                                                                                                                        
mQINBF2tvGQBEAC5Q2ePLZZafOkFhYHpGZdRRBCcCd+aiLATofFV8+FjPuPLL/3R      
......
kgQgWZ6F2RZm5/R28DHdAetji50XbnmXgAk/u9u2Hw2bVVJfJ0WpEVcPvA1L86SE
8i8p1fmzljwRazZAksk5Zh2QfaM0jlMYHWbKpbXQcX19Uerm7D9IkciZvDAmgBYV
S6Y=
=rOqq
-----END PGP PUBLIC KEY BLOCK-----

他们可能使用 cloudflare,它会阻止默认的 ansible 用户代理 - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html#parameter-http_agent)。您可以将用户代理设置为浏览器一。

或者,您可以为保存到磁盘的文件设置适当的权限

 - name: Downloading the security key for RPM Fusion (non-free) repo
      get_url:
        url: https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020
        dest: ~/Downloads/nonfree_keys.txt
        mode: 0600

因为 RPM 无法从世界可写文件中导入密钥。

经过一番挖掘,我找到了解决方案,它比我想象的要简单:

---
- hosts: localhost
  connection: local
  name: IMPORTING SECURITY KEYS
  tasks:
    - name: Importing (free) key
      ansible.builtin.rpm_key:
        state: present
        key: https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-free-fedora-2020

    - name: Importing (non-free) key
      ansible.builtin.rpm_key:
        state: present
        key: https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020

根据官方文档,我认为您必须将密钥下载到您的 PC 上,然后然后 安装它们。相反,您可以直接将 URL 输入到 key 部分。