Description

As organizations transition to NIST-standardized Post-Quantum Cryptography (PQC), the standard rpm binary and ansible.builtin.rpm_key module are currently unable to process PQC-signed keys and packages.

Currently, PQC-compliant systems utilize a specialized binary located at /usr/lib/pqrpm/bin/rpmkeys to handle modern algorithms (e.g., ML-DSA, Crystals-Dilithium). To manage these keys via Ansible today, users must resort to the command module, which lacks the idempotency and "check mode" safety of a native module.

Proposed Change

Update the ansible.builtin.rpm_key module to allow an optional cmd_path parameter, or create a dedicated pqrpm_key module that:

1. Points to the specialized /usr/lib/pqrpm/bin/rpmkeys binary by default or via configuration.

1. Supports the --import and key validation logic required for PQC signatures.

1. Maintains the standard state: present/absent idempotency logic.

Use Case / Business Value

• Compliance: Required for environments following CNSA 2.0 (Commercial National Security Algorithm Suite) mandates for quantum resistance.

• Automation Efficiency: Eliminates the need for custom shell or command tasks to manage hybrid/PQC keyrings.

• Security: Ensures that the "Source of Truth" for package signatures is managed via a verified, native Ansible workflow rather than raw scripts.

Technical Details

• Standard Binary: /usr/bin/rpm

• PQC Binary: /usr/lib/pqrpm/bin/rpmkeys

• Key Format: Supports hybrid and PQC-only GPG/RPM public keys.