search

nginxinc / ansible-role-nginx

Ansible role for installing NGINX
https://galaxy.ansible.com/nginxinc/nginx
Apache License 2.0
618 stars 340 forks source link

Updated NGINX Signing Keys cause "Add NGINX signing key" task to fail #720

Closed statio closed 3 weeks ago

statio commented 3 weeks ago

Describe the bug

A recent update to NGINX signing keys, which appears to have introduced an rsa4096 signing key in addition to still providing the original rsa2048 signing key, is causing the Red Hat/SLES OSs Add NGINX signing key task to fail due to a mismatch in the fingerprint. The default fingerprint provided for comparison in the task is: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62

Per a download of the nginx_signing_key URL in the main.yml file of the role, the 4096-bit keys were either added or updated yesterday?

pub rsa4096 2024-05-29 [SC] 8540A6F18833A80E9C1653A42FD21310B49F6B46 uid nginx signing key signing-key-2@nginx.com

pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24] 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 uid nginx signing key signing-key@nginx.com

pub rsa4096 2024-05-29 [SC] 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3 uid nginx signing key signing-key-3@nginx.com

On a Rocky Linux 9 target system, this task now fails as a result of this apparent "mismatch".

To reproduce

Steps to reproduce the behavior:

  1. Run the latest release of this role, which still includes the 2048 bit key as it's sole signing key, against a RHEL9-esque target.
  2. View output for error on task RHEL/SLES OSs Add Nginx signing key for error.

Expected behavior

Updating this key directly in the task to the rsa4096 key provided in the signing key fixes this. The expected behavior is that the signing key matches the URL-determined key.

Your environment

Additional context

Happy to create a merge request here, but given I've just started using the module and haven't had time to dig through all the components, I don't know if there's an expectation that this isn't where you manage the source key ID.

thresheek commented 3 weeks ago

We are indeed rolling out a couple new keys that will be used in the future to sign the packages.

This project needs to be adapted to support that indeed

pfuntner commented 3 weeks ago

My team is eager for a fix to this... just sayin'. Various distros in the Redhat family are affected: Redhat, AlmaLinux, Amazon Linux, CentOS. 😢

alessfg commented 3 weeks ago

https://github.com/nginxinc/ansible-role-nginx/pull/719 should fix this issue :)