search

christiangda / ansible-role-amazon-cloudwatch-agent

Ansible Role for Amazon Cloudwatch Agent
GNU General Public License v3.0
60 stars 45 forks source link

ubuntu: fix gpg signature download #18

Closed patrickjahns closed 4 years ago

patrickjahns commented 4 years ago

While testing the upgrade from version 1.0.0 I noticed that the signature file had the same size as the package file.

This pull request aims to fix the signature download and additionally adds a check if the gpg signature file does not contain a valid signature

fatal: [10.89.1.106]: FAILED! => {
    "changed": false, 
    "cmd": [
        "gpg", 
        "--verify", 
        "amazon-cloudwatch-agent.deb.sig", 
        "amazon-cloudwatch-agent.deb"
    ], 
    "delta": "0:00:00.175088", 
    "end": "2020-02-03 15:15:23.579666", 
    "failed_when_result": true, 
    "invocation": {
        "module_args": {
            "_raw_params": "gpg --verify amazon-cloudwatch-agent.deb.sig amazon-cloudwatch-agent.deb", 
            "_uses_shell": false, 
            "argv": null, 
            "chdir": "/tmp", 
            "creates": null, 
            "executable": null, 
            "removes": null, 
            "stdin": null, 
            "stdin_add_newline": true, 
            "strip_empty_ends": true, 
            "warn": true
        }
    }, 
    "msg": "non-zero return code", 
    "rc": 2, 
    "start": "2020-02-03 15:15:23.404578", 
    "stderr": "gpg: no valid OpenPGP data found.\ngpg: the signature could not be verified.\nPlease remember that the signature file (.sig or .asc)\nshould be the first file given on the command line.", 
    "stderr_lines": [
        "gpg: no valid OpenPGP data found.", 
        "gpg: the signature could not be verified.", 
        "Please remember that the signature file (.sig or .asc)", 
        "should be the first file given on the command line."
    ], 
    "stdout": "", 
    "stdout_lines": []
}
patrickjahns commented 4 years ago

@christiangda had a quick look at the travis result - seems so far unrelated to my change. Let me know how to proceed with the CI

christiangda commented 4 years ago

hi @patrickjahns

Thank you for your collaboration to fix this issue, I notice that you make a mistake with 

- name: Download {{ cwa_package }}.deb file
  get_url:    get_url:
    url: "{{ cwa_package_signature }}"
    dest: "{{ cwa_temp_path }}/{{ cwa_package }}.deb"
    timeout: "{{ cwa_global_downloads_timeout }}"
  tags:   tags:

I changed it to

- name: Download {{ cwa_package }}.deb.sig file
  get_url:
    url: "{{ cwa_package_signature }}"
    dest: "{{ cwa_temp_path }}/{{ cwa_package }}.deb.sig"
    timeout: "{{ cwa_global_downloads_timeout }}"
  tags:
    - download-signature
    - verify-signature
    - download
    - install

The problem with the CI looks like some molecule dependency verssion. I'm working on it.

patrickjahns commented 4 years ago

@christiangda You are correct, I apologize for mixing them up. Happy to collaborate and futurewise also fix issue/remarks and update pull request if you want me to :-)