The centralized system keyring for apt was deprecated starting in Ubuntu 21, and is being replaced with an explicit path to the local gpg key in the ‘signed-by’ attribute.
I have written more extensive articles on this subject [here,here], but from an Ansible perspective, this means ensuring the gpg key is downloaded to ‘/usr/share/keyrings’ with the proper permissions and adding the ‘signed-by’ attribute to the repo definition.
Here is an example of creating the custom apt repo for Google (supplies gcloud and kubectl packages).
# save gpg key locally - name: get google key, save in /usr/share/keyrings for newer apt deb syntax get_url: url: https://packages.cloud.google.com/apt/doc/apt-key.gpg dest: /usr/share/keyrings/google.gpg mode: ugo+rw # add custom apt repo with 'signed-by' referring to gpg key - name: add google apt repository apt_repository: repo: "deb [arch=amd64, signed-by=/usr/share/keyrings/google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" state: present filename: google-cloud-sdk update_cache: yes mode: 0644 validate_certs: no
Notice we are saving the gpg key to ‘/usr/share/keyrings/google.gpg’ instead of the deprecated method of adding to the centralized keyring with “apt-key add”.
As another example, here is a custom Helm3 repo where the gpg key is not binary, but is instead ASCII-armored.
# save ASCII-armored gpg key locally - name: get helm3 key, save in /usr/share/keyrings for newer apt deb syntax get_url: url: https://baltocdn.com/helm/signing.asc dest: /usr/share/keyrings/helm3.asc mode: ugo+rw # add custom apt repo with 'signed-by' referring to gpg key - name: add helm3 apt repository apt_repository: repo: deb [arch=amd64, signed-by=/usr/share/keyrings/helm3.asc] https://baltocdn.com/helm/stable/debian/ all main state: present filename: helm3 update_cache: yes mode: 0644 validate_certs: false
Full examples of these Ansible files can be found on github at gcloud-apt/tasks/main.yaml and helm3-apt/tasks/main.yaml.
This article was tested using Ansible 2.12.0, older versions of Ansible may not understand the square bracketed attributes being used in the ‘apt_repository’ module.
REFERENCES