Skip to content

[stabilization] Check for PQC GPG key only on RHEL 10.1 and newer #14476

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vojtapolasek merged 1 commit into from
Feb 27, 2026
Merged

[stabilization] Check for PQC GPG key only on RHEL 10.1 and newer #14476

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 16 additions & 2 deletions linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,13 +40,27 @@

{{% endif %}}

- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints"
{{% if "rhel" in families and major_version_ordinal >= 10 %}}
- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints (without PQC)"
ansible.builtin.set_fact:
gpg_valid_fingerprints:
- "{{{ release_key_fingerprint }}}"
- "{{{ auxiliary_key_fingerprint }}}"
when: ansible_distribution_version is version('10.1', '<')

- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints (with PQC)"
ansible.builtin.set_fact:
gpg_valid_fingerprints:
- "{{{ release_key_fingerprint }}}"
- "{{{ auxiliary_key_fingerprint }}}"
{{% if "rhel" in families and major_version_ordinal >= 10 %}}
- "{{{ pqc_key_fingerprint }}}"
when: ansible_distribution_version is version('10.1', '>=')
{{% else %}}
- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints"
ansible.builtin.set_fact:
gpg_valid_fingerprints:
- "{{{ release_key_fingerprint }}}"
- "{{{ auxiliary_key_fingerprint }}}"
{{% endif %}}

- name: "{{{ rule_title }}}: Import RedHat GPG key"
Expand Down
13 changes: 8 additions & 5 deletions linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,16 @@ then
# No CRC error, safe to proceed
if [ "${GPG_RESULT}" -eq "0" ]
then
# If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
{{% if "rhel" in families and major_version_ordinal >= 10 %}}
echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}|${REDHAT_PQC_FINGERPRINT}" || {
if {{{ bash_os_linux_conditional("rhel", expected_ver="10.1", op=">=") | trim }}}
then
echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}|${REDHAT_PQC_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}"
else
echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}"
fi
{{% else %}}
echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || {
echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}"
{{% endif %}}
# If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
rpm --import "${REDHAT_RELEASE_KEY}"
}
fi
fi
26 changes: 24 additions & 2 deletions linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,13 @@
<criterion comment="package gpg-pubkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}} is installed"
test_ref="test_redhat_package_gpgkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}_installed" />
{{% if "rhel" in families and major_version_ordinal >= 10 %}}
<criterion comment="package gpg-pubkey-{{{ pqc_pkg_version }}}-{{{ pqc_pkg_release }}} is installed"
test_ref="test_redhat_package_gpgkey-{{{ pqc_pkg_version }}}-{{{ pqc_pkg_release }}}_installed" />
<criteria comment="If RHEL is 10.1 or newer then PQC key must be installed" operator="OR">
<criterion comment="RHEL is older than 10.1" test_ref="test_{{{ rule_id }}}_rhel_is_10_1_or_newer" negate="true" />
<criteria comment="RHEL is 10.1 or newer AND PQC is installed" operator="AND">
<criterion comment="RHEL is 10.1 or newer" test_ref="test_{{{ rule_id }}}_rhel_is_10_1_or_newer" />
<criterion comment="package gpg-pubkey-{{{ pqc_pkg_version }}}-{{{ pqc_pkg_release }}} is installed" test_ref="test_redhat_package_gpgkey-{{{ pqc_pkg_version }}}-{{{ pqc_pkg_release }}}_installed" />
</criteria>
</criteria>
{{% endif %}}
</criteria>
{{%- if centos_major_version %}}
Expand Down Expand Up @@ -88,5 +93,22 @@
</linux:rpminfo_state>
{{%- endif %}}

{{% if "rhel" in families and major_version_ordinal >= 10 %}}
<ind:textfilecontent54_test check="all" comment="VERSION_ID in os-release is greater than or equal 10.1" id="test_{{{ rule_id }}}_rhel_is_10_1_or_newer" version="1">
<ind:object object_ref="obj_{{{ rule_id }}}_rhel_is_10_1_or_newer" />
<ind:state state_ref="state_{{{ rule_id }}}_rhel_is_10_1_or_newer" />
</ind:textfilecontent54_test>

<ind:textfilecontent54_object id="obj_{{{ rule_id }}}_rhel_is_10_1_or_newer" version="1">
<ind:filepath>/etc/os-release</ind:filepath>
<ind:pattern operation="pattern match">^VERSION_ID=[&quot;&apos;]?([\w.]+)[&quot;&apos;]?$</ind:pattern>
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>

<ind:textfilecontent54_state id="state_{{{ rule_id }}}_rhel_is_10_1_or_newer" version="1">
<ind:subexpression operation="greater than or equal" datatype="version">10.1</ind:subexpression>
</ind:textfilecontent54_state>
{{% endif %}}

</def-group>
{{% endif %}}
Loading