From f0e38a32c8cb21c5c00559652012af788c701f49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 3 Jan 2024 13:24:46 +0100 Subject: [PATCH] Fix Ansible in rule ensure_redhat_gpgkey_installed We have discovered that in some Ansible Playbooks that we generate, for example in `rhel8-playbook-anssi_bp28_high.yml`, the remediation for rule `ensure_redhat_gpgkey_installed` doesn't ensure that Red Hat GPG key is installed. Specifically, the Ansible Task `Import RedHat GPG key` is skipped during the Playbook execution because the condition `(gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0` that is part of the `when` statement in that task is evaluated as `false`. The root cause is that the `gpg_installed_fingerprints` fact is a list but the `gpg_valid_fingerprints` is a tuple. Starting from Ansible 2.16, the `difference` filter changed behavior when its operands are each of a different type. Therefore a list of different items of a non-zero length is produced. An easy fix to this is to define both aforementioned facts as same data types, eg. lists. Fixes: #11399, #11409 --- .../ensure_redhat_gpgkey_installed/ansible/shared.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml index 6ab9bdee767..9d79a91e85b 100644 --- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml +++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml @@ -28,7 +28,9 @@ - name: Set Fact - Valid fingerprints set_fact: - gpg_valid_fingerprints: ("{{{ release_key_fingerprint }}}" "{{{ auxiliary_key_fingerprint }}}") + gpg_valid_fingerprints: + - "{{{ release_key_fingerprint }}}" + - "{{{ auxiliary_key_fingerprint }}}" - name: Import RedHat GPG key rpm_key: