ansible/test/integration/targets/dnf/tasks/gpg.yml

# Set up a repo of unsigned rpms
- block:
    - set_fact:
        pkg_name: langtable
        pkg_repo_dir: "{{ remote_tmp_dir }}/unsigned"

    - name: Ensure our test package isn't already installed
      dnf:
        name:
          - '{{ pkg_name }}'
        state: absent

    - name: Install rpm-sign
      dnf:
        name:
          - rpm-sign
        state: present

    - name: Create directory to use as local repo
      file:
        path: "{{ pkg_repo_dir }}"
        state: directory

    - name: Download the test package
      dnf:
        name: '{{ pkg_name }}'
        state: latest
        download_only: true
        download_dir: "{{ pkg_repo_dir }}"

    - name: Unsign the RPM
      shell: rpmsign --delsign {{ remote_tmp_dir }}/unsigned/{{ pkg_name }}*

    - name: createrepo
      command: createrepo .
      args:
        chdir: "{{ pkg_repo_dir }}"

    - name: Add the repo
      yum_repository:
        name: unsigned
        description: unsigned rpms
        baseurl: "file://{{ pkg_repo_dir }}"
        # we want to ensure that signing is verified
        gpgcheck: true

    - name: Install test package
      dnf:
        name:
          - "{{ pkg_name }}"
        disablerepo: '*'
        enablerepo: unsigned
      register: res
      ignore_errors: yes

    - assert:
        that:
          - res is failed
          - "'Failed to validate GPG signature' in res.msg"

  always:
    - name: Remove rpm-sign (and test package if it got installed)
      dnf:
        name:
          - rpm-sign
          - "{{ pkg_name }}"
        state: absent

    - name: Remove test repo
      yum_repository:
        name: unsigned
        state: absent

    - name: Remove repo dir
      file:
        path: "{{ pkg_repo_dir }}"
        state: absent