Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-142706

Reimplement the fix for signature validation failures in RHEL 10 branch

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-10.2
    • None
    • rhc-worker-playbook
    • None
    • rhc-worker-playbook-0.2.7-1.el10
    • None
    • Moderate
    • insights-ops-1
    • 5
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Description/Background:

      On RHEL 10, rhc-worker-playbook catches signature validation errors, but those errors are not surfaced to Insights Remediations users.

      On RHEL 9, the resolution was to make the client not only log the signature validation failure, but also capture and report that failure to Insights, in RedHatInsights/rhc-worker-playbook#58. The same must be done for RHEL 10, which uses Go instead of Python.

      Acceptance Criteria:

      Share the list of tasks to be accomplished to be able to successfully complete this task

      • Fix this issue in the main branch of the rhc-worker-playbook repository.
      • Validate that the new rhc-worker-playbook code captures playbook validation errors, and those errors are surfaced to Insights Remediations users.
      • New RPMs are built and shipped.
      • CCT QE verification passes
      • Remediations QE verification passes

      Additional info:

      I created a remediation plan by POSTing this to the Insights Remediations API, for a RHEL 10 system:

      {
          "name": "jaudet-test:invalidSignatureTasks",
          "auto_reboot": false,
          "archived": false,
          "add": {
              "issues": [
                  {
                      "id": "test:invalidSignatureTasks",
                      "resolution": "fix",
                      "systems": ["7ff524a7-f35b-4091-9bc9-ce16aa921398"]
                  }
              ]
          }
      }
      

      I then executed the remediation plan. journalctl -fu yggdrasil.service logged this (trimmed):

      sending HTTP request: GET https://cert.cloud.redhat.com/api/remediations/v1/remediations/ebec4cfd-fb0c-4c7e-a7bc-04286b0037dd/playbook?hosts=7ff524a7-f35b-4091-9bc9-ce16aa921398&localhost
      emitted event: {Worker:rhc_worker_playbook Name:STARTED MessageID: ResponseTo: Data:map[]}
      received HTTP response: &{200 OK 200 HTTP/2.0 2 0 map[Cache-Control:[private] Content-Disposition:[attachment;filename="jaudet-testinvalidsignaturetasks-1759267563648.yml"] Content-Type:[text/vnd.yaml; charset=utf-8] Date:[Tue, 30 Sep 2025 21:26:03 GMT] Etag:[W/"1127-8P1ExJQyolIbCW2Ow0z8FETkabM"] Server:[openresty] Set-Cookie:[3ba1432eca9ab72ebcff858daecadbf5=0ada61822e8f901e4327fed90af7b60d; path=/; HttpOnly; Secure; SameSite=None] Strict-Transport-Security:[max-age=31536000; includeSubDomains] Vary:[Accept-Encoding] X-Content-Type-Options:[nosniff] X-Frame-Options:[SAMEORIGIN] X-Powered-By:[Express] X-Rh-Edge-Cache-Status:[NotCacheable from child] X-Rh-Edge-Reference-Id:[0.3109c617.1759267563.58cb4327] X-Rh-Edge-Request-Id:[58cb4327] X-Rh-Insights-Request-Id:[216b00f2298c4fa6bcfd71211271b3b3]] 0xc000192930 -1 [] false true map[] 0xc000290640 0xc000292900}
      emitted event: {Worker:rhc_worker_playbook Name:BEGIN MessageID:b5a839de-7a1c-47ff-8aee-1f62f405dd52 ResponseTo: Data:map[]}
      send message b5a839de-7a1c-47ff-8aee-1f62f405dd52 to worker rhc_worker_playbook
      emitted event: {Worker:rhc_worker_playbook Name:END MessageID:b5a839de-7a1c-47ff-8aee-1f62f405dd52 ResponseTo: Data:map[]}
      

      journalctl -fu com.redhat.Yggdrasil1.Worker1.rhc_worker_playbook.service logged this (trimmed):

      message received: message-id=b5a839de-7a1c-47ff-8aee-1f62f405dd52
      cannot verify playbook: code=1 stdout= stderr=Play 'ping' has invalid signature
      cannot call rx: cannot verify playbook: err=cannot verify playbook: exit status 1
      emitting event END
      

      Meanwhile, the Insights Remediations end user sees this:

              rhn-support-jcrafts Jeremy Crafts
              redakkan@redhat.com Rehana Raj Edakandiyil
              Jeremy Crafts Jeremy Crafts
              Jeremy Audet Jeremy Audet
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: