Closed statio closed 3 weeks ago
We are indeed rolling out a couple new keys that will be used in the future to sign the packages.
This project needs to be adapted to support that indeed
My team is eager for a fix to this... just sayin'. Various distros in the Redhat family are affected: Redhat, AlmaLinux, Amazon Linux, CentOS. 😢
https://github.com/nginxinc/ansible-role-nginx/pull/719 should fix this issue :)
Describe the bug
A recent update to NGINX signing keys, which appears to have introduced an rsa4096 signing key in addition to still providing the original rsa2048 signing key, is causing the Red Hat/SLES OSs Add NGINX signing key task to fail due to a mismatch in the fingerprint. The default fingerprint provided for comparison in the task is: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
Per a download of the nginx_signing_key URL in the main.yml file of the role, the 4096-bit keys were either added or updated yesterday?
pub rsa4096 2024-05-29 [SC] 8540A6F18833A80E9C1653A42FD21310B49F6B46 uid nginx signing key signing-key-2@nginx.com
pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24] 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 uid nginx signing key signing-key@nginx.com
pub rsa4096 2024-05-29 [SC] 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3 uid nginx signing key signing-key-3@nginx.com
On a Rocky Linux 9 target system, this task now fails as a result of this apparent "mismatch".
To reproduce
Steps to reproduce the behavior:
Expected behavior
Updating this key directly in the task to the rsa4096 key provided in the signing key fixes this. The expected behavior is that the signing key matches the URL-determined key.
Your environment
Additional context
Happy to create a merge request here, but given I've just started using the module and haven't had time to dig through all the components, I don't know if there's an expectation that this isn't where you manage the source key ID.