ansible.builtin.apt_key (v2.16.5) — module

Install Ansible via pip

Install with pip install ansible-core==2.16.5

Description

Add or remove an I(apt) key, optionally downloading it.

Requirements

• gpg

Usage examples

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: One way to avoid apt_key once it is removed from your distro, armored keys should use .asc extension, binary should use .gpg
  block:
    - name: somerepo | no apt key
      ansible.builtin.get_url:
        url: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x36a1d7869245c8950f966e92d8576a8ba88d21e9
        dest: /etc/apt/keyrings/myrepo.asc
        checksum: sha256:bb42f0db45d46bab5f9ec619e1a47360b94c27142e57aa71f7050d08672309e0

    - name: somerepo | apt source
      ansible.builtin.apt_repository:
        repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/myrepo.asc] https://download.example.com/linux/ubuntu {{ ansible_distribution_release }} stable"
        state: present

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Add an apt key by id from a keyserver
  ansible.builtin.apt_key:
    keyserver: keyserver.ubuntu.com
    id: 36A1D7869245C8950F966E92D8576A8BA88D21E9

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Add an Apt signing key, uses whichever key is at the URL
  ansible.builtin.apt_key:
    url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
    state: present

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Add an Apt signing key, will not download if present
  ansible.builtin.apt_key:
    id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
    url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
    state: present

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Remove a Apt specific signing key, leading 0x is valid
  ansible.builtin.apt_key:
    id: 0x9FED2BCBDCD29CDF762678CBAED4B06F473041FA
    state: absent

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

# Use armored file since utf-8 string is expected. Must be of "PGP PUBLIC KEY BLOCK" type.
- name: Add a key from a file on the Ansible server
  ansible.builtin.apt_key:
    data: "{{ lookup('ansible.builtin.file', 'apt.asc') }}"
    state: present

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Add an Apt signing key to a specific keyring file
  ansible.builtin.apt_key:
    id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
    url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
    keyring: /etc/apt/trusted.gpg.d/debian.gpg

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Add Apt signing key on remote server to keyring
  ansible.builtin.apt_key:
    id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
    file: /tmp/apt.gpg
    state: present

Inputs

    
id:
    description:
    - The identifier of the key.
    - Including this allows check mode to correctly report the changed state.
    - If specifying a subkey's id be aware that apt-key does not understand how to remove
      keys via a subkey id.  Specify the primary key's id instead.
    - This parameter is required when O(state) is set to V(absent).
    type: str

url:
    description:
    - The URL to retrieve key from.
    type: str

data:
    description:
    - The keyfile contents to add to the keyring.
    type: str

file:
    description:
    - The path to a keyfile on the remote server to add to the keyring.
    type: path

state:
    choices:
    - absent
    - present
    default: present
    description:
    - Ensures that the key is present (added) or absent (revoked).
    type: str

keyring:
    description:
    - The full path to specific keyring file in C(/etc/apt/trusted.gpg.d/).
    type: path
    version_added: '1.3'
    version_added_collection: ansible.builtin

keyserver:
    description:
    - The keyserver to retrieve key from.
    type: str
    version_added: '1.6'
    version_added_collection: ansible.builtin

validate_certs:
    default: 'yes'
    description:
    - If V(false), SSL certificates for the target url will not be validated. This should
      only be used on personally controlled sites using self-signed certificates.
    type: bool

Outputs

after:
  description: List of apt key ids or fingerprints after any modification
  returned: on change
  sample:
  - D8576A8BA88D21E9
  - 3B4FE6ACC0B21F32
  - D94AA3F0EFE21092
  - 871920D1991BC93C
  type: list
before:
  description: List of apt key ids or fingprints before any modifications
  returned: always
  sample:
  - 3B4FE6ACC0B21F32
  - D94AA3F0EFE21092
  - 871920D1991BC93C
  type: list
fp:
  description: Fingerprint of the key to import
  returned: always
  sample: D8576A8BA88D21E9
  type: str
id:
  description: key id from source
  returned: always
  sample: 36A1D7869245C8950F966E92D8576A8BA88D21E9
  type: str
key_id:
  description: calculated key id, it should be same as 'id', but can be different
  returned: always
  sample: 36A1D7869245C8950F966E92D8576A8BA88D21E9
  type: str
short_id:
  description: calculated short key id
  returned: always
  sample: A88D21E9
  type: str

See also

• ansible.builtin.deb822_repository