idempotency issues: "check package signature in repo files" and "remove_suid_from_blacklists"

[Rudikza]

Describe the bug
When running kitchen acceptance testing with the enforce_idempotency: true option set under the provisioner.

Expected behavior
On multiple chef runs, when nothing changes, no changes should be made.

Actual behavior
Two resources are updated even though the SUT hasn't changed:

       Running handlers:
       First chef run should have reached a converged state.
       Resources updated in a second chef-client run:
       - ruby_block[check package signature in repo files]
       - ruby_block[remove_suid_from_blacklists]

Example code

provisioner:
  name: chef_solo
<% if ENV['CHEF_VERSION'] %>
  require_chef_omnibus: <%= ENV['CHEF_VERSION'] %>
<% end %>
  chef_license: accept
  enforce_idempotency: true

OS / Environment

Target version of OS is Centos 7. I haven't tried any of the others.

Chef Version

Chef Workstation version: 1.0.11
Chef Infra Client version: 15.2.20
Chef InSpec version: 4.10.4
Test Kitchen version: 2.2.5
Foodcritic version: 16.1.1
Cookstyle version: 0.72.0

Cookbook Version

4.0.0

Additional context
I am happy to help write code if someone can point me in the right direction.

[sean-nixon]

I too would love to see this fixed.