Skip to content

apt_key

Collection Note

This module is part of the ansible.builtin collection. To install the collection, use:

ansible-galaxy collection install ansible.builtin
Added in version 1.0.

You need further requirements to be able to use this module, see the Requirements section for details.

Synopsis

  • Add or remove an I(apt) key, optionally downloading it.

Requirements

The following Python packages are needed on the host that executes this module:

Parameters

Parameter Defaults / Choices Comments
data
str		 The keyfile contents to add to the keyring.
file
path		 The path to a keyfile on the remote server to add to the keyring.
id
str		 The identifier of the key.
Including this allows check mode to correctly report the changed state.
If specifying a subkey's id be aware that apt-key does not understand how to remove keys via a subkey id. Specify the primary key's id instead.
This parameter is required when O(state) is set to V(absent).
keyring
path		 The full path to specific keyring file in C(/etc/apt/trusted.gpg.d/).
Version Added: 1.3
keyserver
str		 The keyserver to retrieve key from.
Version Added: 1.6
state
str		 Default: present
Choices: absent, present		 Ensures that the key is present (added) or absent (revoked).
url
str		 The URL to retrieve key from.
validate_certs
bool		 Default: yes
 If V(false), SSL certificates for the target url will not be validated. This should only be used on personally controlled sites using self-signed certificates.

Notes

Note

  • The C(apt-key) command used by this module has been deprecated. See the L(Debian wiki,https://wiki.debian.org/DebianRepository/UseThirdParty) for details. This module is kept for backwards compatibility for systems that still use C(apt-key) as the main way to manage apt repository keys.
  • As a sanity check, downloaded key id must match the one specified.
  • Use full fingerprint (40 characters) key ids to avoid key collisions. To generate a full-fingerprint imported key: C(apt-key adv --list-public-keys --with-fingerprint --with-colons).
  • If you specify both the key O(id) and the O(url) with O(state=present), the task can verify or add the key as needed.
  • Adding a new key requires an apt cache update (e.g. using the M(ansible.builtin.apt) module's C(update_cache) option).

Examples

- name: One way to avoid apt_key once it is removed from your distro, armored keys should use .asc extension, binary should use .gpg
  block:
    - name: somerepo | no apt key
      ansible.builtin.get_url:
        url: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x36a1d7869245c8950f966e92d8576a8ba88d21e9
        dest: /etc/apt/keyrings/myrepo.asc
        checksum: sha256:bb42f0db45d46bab5f9ec619e1a47360b94c27142e57aa71f7050d08672309e0

    - name: somerepo | apt source
      ansible.builtin.apt_repository:
        repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/myrepo.asc] https://download.example.com/linux/ubuntu {{ ansible_distribution_release }} stable"
        state: present

- name: Add an apt key by id from a keyserver
  ansible.builtin.apt_key:
    keyserver: keyserver.ubuntu.com
    id: 36A1D7869245C8950F966E92D8576A8BA88D21E9

- name: Add an Apt signing key, uses whichever key is at the URL
  ansible.builtin.apt_key:
    url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
    state: present

- name: Add an Apt signing key, will not download if present
  ansible.builtin.apt_key:
    id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
    url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
    state: present

- name: Remove a Apt specific signing key, leading 0x is valid
  ansible.builtin.apt_key:
    id: 0x9FED2BCBDCD29CDF762678CBAED4B06F473041FA
    state: absent

# Use armored file since utf-8 string is expected. Must be of "PGP PUBLIC KEY BLOCK" type.
- name: Add a key from a file on the Ansible server
  ansible.builtin.apt_key:
    data: "{{ lookup('ansible.builtin.file', 'apt.asc') }}"
    state: present

- name: Add an Apt signing key to a specific keyring file
  ansible.builtin.apt_key:
    id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
    url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
    keyring: /etc/apt/trusted.gpg.d/debian.gpg

- name: Add Apt signing key on remote server to keyring
  ansible.builtin.apt_key:
    id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
    file: /tmp/apt.gpg
    state: present

Return Values

Key Data Type Description Returned
after list List of apt key ids or fingerprints after any modification on change
before list List of apt key ids or fingprints before any modifications always
fp str Fingerprint of the key to import always
id str key id from source always
key_id str calculated key id, it should be same as 'id', but can be different always
short_id str calculated short key id always

Authors

  • Jayson Vantuyl (@jvantuyl)