The specified fingerprint, '573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62', does not match the key fingerprint '8540A6F18833A80E9C1653A42FD21310B49F6B46

griff92 commented 1 week ago

Describe the bug

When installing the collection on a fresh server I receive this error: The specified fingerprint, '573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62', does not match the key fingerprint '8540A6F18833A80E9C1653A42FD21310B49F6B46

When looking at the gpg key on an ubuntu wsl I can see there was a new key created on 29/5 - It appears that the install is defaulting to this key: `[REDACTED ~]~ $ gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg pub rsa4096 2024-05-29 [SC] 8540A6F18833A80E9C1653A42FD21310B49F6B46 uid nginx signing key signing-key-2@nginx.com

pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24] 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 uid nginx signing key signing-key@nginx.com

pub rsa4096 2024-05-29 [SC] 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3 uid nginx signing key signing-key-3@nginx.com`

In the code under tasks/keys/setup-keys.yml

I can see the rsa2048 key specified: - name: (Red Hat/SLES OSs) Add NGINX signing key ansible.builtin.rpm_key: fingerprint: 8540A6F18833A80E9C1653A42FD21310B49F6B46 key: "{{ keysite }}" when: ansible_facts['os_family'] in ['RedHat', 'Suse']

To reproduce

Packer shell provisioner installs the collections:

  "ansible-galaxy collection install community.general && sleep 10",
  "ansible-galaxy collection install ansible.posix && sleep 10",
  "ansible-galaxy collection install nginxinc.nginx_core && sleep 10",
  "ansible-galaxy collection install community.crypto && sleep 10",

Playbook: `---

hosts: all become: true collections:
- nginxinc.nginx_core roles:
- nginx`

Expected behavior

Install nginx

Your environment

-nginxinc.nginx_core:0.8.0

community.general:9.0.1
ansible.posix:1.5.4
community.crypto:2.20.0

Additional context

This was working before the 29th. Is there a way to specify the rsa2048key as a var, or does the code need updating with a PR?

Thanks

griff92 commented 1 week ago

I have put a work around in place for now by adding an additional ansible provisioner into my packer file to run this:

`---

name: Add rpm key hosts: all become: true

tasks:
- name: (Red Hat/SLES OSs) Add NGINX signing key ansible.builtin.rpm_key: fingerprint: "{{ item }}" key: https://nginx.org/keys/nginx_signing.key loop:
  - 8540A6F18833A80E9C1653A42FD21310B49F6B46
  - 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
  - 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3 ` Then for the playbook to install nginx i've added --skip-tag nginx_key" so it ignores the bit that was failing.

wzcwts521 commented 1 week ago

I'm facing the same issue.

alessfg commented 1 week ago

Heya! The role itself has been updated, but it might take a little while for the collection to be updated. As an alternative to the workaround you mentioned, I would also suggest downloading the latest commit of this role directly :)

mixman68 commented 2 days ago

The collection play the keys after prerequisites but it doesn't work on existing installation cuz nginx already part of sources.list, so the keys should be updated before running the prerequisite tasks

nginxinc / ansible-role-nginx