ansible.builtin.apt_key module – Add or remove an apt key
Note
This module is part of ansible-core and included in all Ansible
installations. In most cases, you can use the short
module name
apt_key even without specifying the collections keyword.
However, we recommend you use the Fully Qualified Collection Name (FQCN) ansible.builtin.apt_key for easy linking to the
module documentation and to avoid conflicting with other collections that may have
the same module name.
DEPRECATED
- Removed in:
version 2.25
- Why:
The ansible.builtin.apt_key module is deprecated in favor of the ansible.builtin.deb822_repository module.
- Alternative:
ansible.builtin.deb822_repository
Synopsis
Add or remove an apt key, optionally downloading it.
Requirements
The below requirements are needed on the host that executes this module.
gpg
Parameters
Parameter |
Comments |
|---|---|
The keyfile contents to add to the keyring. |
|
The path to a keyfile on the remote server to add to the keyring. |
|
The identifier of the key. Including this allows check mode to correctly report the changed state. If specifying a subkey’s id be aware that apt-key does not understand how to remove keys via a subkey id. Specify the primary key’s id instead. This parameter is required when |
|
The full path to specific keyring file in |
|
The keyserver to retrieve key from. |
|
Ensures that the key is present (added) or absent (revoked). Choices:
|
|
The URL to retrieve key from. |
|
If Choices:
|
Attributes
Attribute |
Support |
Description |
|---|---|---|
Support: full |
Can run in check_mode and return changed status prediction without modifying target, if not supported the action will be skipped. |
|
Support: none |
Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode |
|
Platform: debian |
Target OS/families that can be operated against |
Notes
Note
The
apt-keycommand used by this module has been deprecated. See the Debian wiki for details. This module is kept for backwards compatibility for systems that still useapt-keyas the main way to manage apt repository keys.As a sanity check, downloaded key id must match the one specified.
Use full fingerprint (40 characters) key ids to avoid key collisions. To generate a full-fingerprint imported key:
apt-key adv --list-public-keys --with-fingerprint --with-colons.If you specify both the key
idand theurlwithstate=present, the task can verify or add the key as needed.Adding a new key requires an apt cache update (e.g. using the ansible.builtin.apt module’s
update_cacheoption).The
apt-keyutility has been deprecated and removed in modern debian versions, use ansible.builtin.deb822_repository as an alternative to ansible.builtin.apt_repository + apt_key combinations.
See Also
See also
- ansible.builtin.deb822_repository
Add and remove deb822 formatted repositories.
Examples
- name: One way to avoid apt_key once it is removed from your distro, armored keys should use .asc extension, binary should use .gpg
block:
- name: somerepo | no apt key
ansible.builtin.get_url:
url: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x36a1d7869245c8950f966e92d8576a8ba88d21e9
dest: /etc/apt/keyrings/myrepo.asc
checksum: sha256:bb42f0db45d46bab5f9ec619e1a47360b94c27142e57aa71f7050d08672309e0
- name: somerepo | apt source
ansible.builtin.apt_repository:
repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/myrepo.asc] https://download.example.com/linux/ubuntu {{ ansible_distribution_release }} stable"
state: present
- name: Add an apt key by id from a keyserver
ansible.builtin.apt_key:
keyserver: keyserver.ubuntu.com
id: 36A1D7869245C8950F966E92D8576A8BA88D21E9
- name: Add an Apt signing key, uses whichever key is at the URL
ansible.builtin.apt_key:
url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
state: present
- name: Add an Apt signing key, will not download if present
ansible.builtin.apt_key:
id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
state: present
- name: Remove a Apt specific signing key, leading 0x is valid
ansible.builtin.apt_key:
id: 0x9FED2BCBDCD29CDF762678CBAED4B06F473041FA
state: absent
# Use armored file since utf-8 string is expected. Must be of "PGP PUBLIC KEY BLOCK" type.
- name: Add a key from a file on the Ansible server
ansible.builtin.apt_key:
data: "{{ lookup('ansible.builtin.file', 'apt.asc') }}"
state: present
- name: Add an Apt signing key to a specific keyring file
ansible.builtin.apt_key:
id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
keyring: /etc/apt/trusted.gpg.d/debian.gpg
- name: Add Apt signing key on remote server to keyring
ansible.builtin.apt_key:
id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
file: /tmp/apt.gpg
state: present
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
List of apt key ids or fingerprints after any modification Returned: on change Sample: |
|
List of apt key ids or fingerprints before any modifications Returned: always Sample: |
|
Fingerprint of the key to import Returned: always Sample: |
|
key id from source Returned: always Sample: |
|
calculated key id, it should be same as ‘id’, but can be different Returned: always Sample: |
|
calculated short key id Returned: always Sample: |
Status
This module will be removed in version 2.25. [deprecated]
For more information see DEPRECATED.