2023 Update: Ansible now has the
ansible.builtin.deb822_repository
module, which can add keys and repositories in one task. It's a little more complex than the old way, and requires Ansible 2.15 or later. See some commondeb822_repository
examples here, for example, the Jenkins tasks below can be consolidated (though the structure of the templated vars would need reworking):- name: Add Jenkins repo using key from URL. ansible.builtin.deb822_repository: name: jenkins types: [deb] uris: "https://pkg.jenkins.io/debian-stable" components: [binary] signed_by: https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key state: present enabled: true
For many packages, like Elasticsearch, Docker, or Jenkins, you need to install a trusted GPG key on your system before you can install from the official package repository.
Traditionally, you'd run a command like:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
But if you do that in modern versions of Debian or Ubuntu, you get the following warning:
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
This way of adding apt keys still works for now (in mid-2022), but will stop working in the next major releases of Ubuntu and Debian (and derivatives). So it's better to stop the usage now. In Ansible, you would typically use the ansible.builtin.apt_key
module, but even that module has the following deprecation warning:
The apt-key command has been deprecated and suggests to ‘manage keyring files in trusted.gpg.d instead’. See the Debian wiki for details. This module is kept for backwards compatiblity for systems that still use apt-key as the main way to manage apt repository keys.
So traditionally, I would use a task like the following in my Ansible roles and playbooks:
- name: Add Jenkins apt repository key.
ansible.builtin.apt_key:
url: https://pkg.jenkins.io/debian-stable/jenkins.io.key
state: present
- name: Add Jenkins apt repository.
ansible.builtin.apt_repository:
repo: "deb https://pkg.jenkins.io/debian-stable binary/"
state: present
The new way to do this without adding an extra gpg --dearmor
task is to use get_url
to download the file into the trusted.gpg.d
folder with the .asc
filename. Therefore the first task above can be replaced with:
- name: Add Jenkins apt repository key.
ansible.builtin.get_url:
url: "{{ jenkins_repo_key_url }}"
dest: /etc/apt/trusted.gpg.d/jenkins.asc
mode: '0644'
force: true
See this issue in ansible/ansible for a little more background.
Comments
Just a quick note: keys in `/etc/apt/trusted.gpg.d` are trusted across all repos. The recommended approach is to put the key in `/usr/share/keyrings` and have the repo refer to it using the `signed-by` option.
If the key is in it's binary form , it needs to be with .gpg extension and we don't have to dearmor it
Why not just do this ???
wget -qO - https://somepath.com/keys.html | sudo gpg --dearmor --output /etc/apt/trusted.gpg.d/somebody.gpg
In Ansible, a command like that requires a lot of extra work to make idempotent, and it's not fun breaking idempotence :)
When you're doing it one-off, it's not a problem.
apt-key add --keyring /etc/apt/trusted.gpg.d/jenkins.pgp ....
- name: Add Jenkins apt repository key.
ansible.builtin.apt_key:
url: https://pkg.jenkins.io/debian-stable/jenkins.io.key
keyring: /etc/apt/trusted.gpg.d/jenkins.pgp
state: present
As an example/ echo Indrek and aduzsardi:
- name: Add gh cli signing key
get_url:
url: "https://cli.github.com/packages/githubcli-archive-keyring.gpg"
dest: /usr/share/keyrings/githubcli-archive-keyring.gpg
mode: 0644
force: true
- name: Add gh cli repo
apt_repository:
repo: "deb [arch=amd64 signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main"
filename: github_cli
state: present
update_cache: True
- name: Install gh cli
apt:
name: gh
state: present
What if the url sends 404 but not as http header?
with get_url and force you will break the local key
And how do I verify the apt_key.id? Without that it is like doing a Bungee Jump without rope.
The new method is the builtin.deb822_repository module.
Works very good, but needs cleanup from old configuration if a packet source was previously configured via apt_key and apt_repository.