package by design only supports very basic options that are available on all package managers. If you want to do non-generic things like disabling GPG checks you should use the underlying modules directly.
On Thursday, November 18, 2021 at 8:45:22 PM UTC-5 j.darby....@gmail.com wrote: > Okay, but the package module doesn't have a disable_gpg_check setting. > So, previously (CentOS 7), you could install an unsigned package from a > file with the package module. Now, you can't. You have to use either the > dnf module or the yum module on CentOS 8/RHEL 8 to install an unsigned > package from a file, so you can disable GPG verification. > > Here's my use case: There are several unsigned packages we need to > install. Even in 2021, not every organization signs the packages they > provide. We wrote a role a few years ago that downloads and installs an > arbitrary list of packages. When we use this role, we have previously > downloaded and inspected the packages to confirm they are genuine, and > we've cached the SHA256 sums, which we can use to verify the integrity of > the packages downloaded by the role. The list includes the URL and the > SHA256 sum of each package like so: > - package_name: some-package-1.0-1.el8.noarch.rpm > * package_url: > https://some-company.com/path/to/some-package-1.0-1.el8.noarch.rpm > <https://some-company.com/path/to/some-package-1.0-1.el8.noarch.rpm>* > package_sum: > sha256:c3dd60d3ab4f1d56bb69fe3c644c2858d723331345a52453905257720cb2a155 > > The way the role was originally written (using the package module) was > intended to work for RHEL/CentOS as well as other Linux distributions that > are not yum/dnf-based. > > Maybe the package module needs a disable_gpg_check that passes > --nogpgcheck to yum/dnf and --allow-unauthenticated to apt-get? I'm less > familiar with apt-based systems, but I think that does the same thing as > nogpgcheck on yum. > On Thursday, November 18, 2021 at 5:09:09 PM UTC-5 ma...@sivel.net wrote: > >> That is correct. The module explicitly only evaluates whether >> `disable_gpg_check` is set or not. It does not respect the system >> configuration. >> >> On Thu, Nov 18, 2021 at 3:36 PM Darby Mitchell <j.darby....@gmail.com> >> wrote: >> >>> I ran into a problem that I think is a bug, but I saw that I should >>> bring it up as a question on the mailing list first. So, my question is, >>> is it expected behavior for ansible.builtin.package, ansible.builtin.yum >>> and ansible.builtin.dnf to ignore the localpkg_gpgcheck setting in >>> /etc/dnf/dnf.conf? >>> >>> On CentOS 7, the package module and the yum module both honor the >>> localpkg_gpgcheck setting in /etc/yum.conf. If you set it to 0, you can >>> install unsigned packages from a file using the package module (which >>> doesn't have a disable_gpg_check option). >>> >>> On CentOS 8, these modules appear to ignore the localpkg_gpgcheck >>> setting in /etc/dnf/dnf.conf (which is soft linked to /etc/yum.conf). >>> >>> Attached is a minimal example of the behavior... >>> If I just dnf install the RPM, it works like a charm. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Development" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ansible-deve...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-devel/2f7007e4-9554-4255-be38-f5bd668b48cfn%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/ansible-devel/2f7007e4-9554-4255-be38-f5bd668b48cfn%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Matt Martz >> @sivel >> sivel.net >> > -- You received this message because you are subscribed to the Google Groups "Ansible Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-devel/29cfc7ed-8f93-42b6-811a-8b13c4879199n%40googlegroups.com.
