ensure_redhat_gpgkey_installed: use command module instead of rpm_key in Ansible remediation

[vojtapolasek]

Description:

• Replace the ansible.builtin.rpm_key module with ansible.builtin.command: rpm --import in the Ansible remediation for rule ensure_redhat_gpgkey_installed. This makes the Ansible remediation consistent with the Bash remediation approach by calling rpm --import directly.

Rationale:

• The ansible.builtin.rpm_key Ansible module is currently broken when encountering GPG keys with PQC (Post-Quantum Cryptography) signatures, as tracked in ansible/ansible#86157. Using rpm --import directly bypasses the module and works correctly regardless of key signature type.

Review Hints:

• Single file change in linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
• Affected products: rhel8, rhel9, rhel10, rhcos4
• Build and verify with: ./build_product --datastream-only rhel9
• The rule is non-templated and has existing test scenarios (key_installed.pass.sh, missing_key.fail.sh, fedora_key.fail.sh), but since only the Ansible remediation is changed (not OVAL checks), existing tests remain valid
• The change replaces 3 lines (rpm_key module invocation) with 1 line (command module invocation) — straightforward to review

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed' differs.
--- xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
+++ xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
@@ -99,9 +99,7 @@
   - restrict_strategy
 
 - name: 'Ensure Red Hat GPG Key Installed: Import RedHat GPG key'
-  ansible.builtin.rpm_key:
-    state: present
-    key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+  ansible.builtin.command: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
   when:
   - gpg_key_directory_permission.stat.mode <= '0755'
   - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length ==

[openshift-ci]

@vojtapolasek: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.17-images	a5b4da0	link	true	/test 4.17-images
ci/prow/4.16-images	a5b4da0	link	true	/test 4.16-images
ci/prow/4.14-images	a5b4da0	link	true	/test 4.14-images
ci/prow/4.21-images	a5b4da0	link	true	/test 4.21-images
ci/prow/4.19-images	a5b4da0	link	true	/test 4.19-images
ci/prow/images	a5b4da0	link	true	/test images
ci/prow/4.20-images	a5b4da0	link	true	/test 4.20-images
ci/prow/4.12-images	a5b4da0	link	true	/test 4.12-images
ci/prow/4.18-images	a5b4da0	link	true	/test 4.18-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.