Handle apt_key deprecation

Ubuntu has deprecated apt_key and since Ubuntu 22 this outputs deprecation warnings. They can be removed by cleaning up the keys with these steps:

# Get the list of available keys in deprecated storage
apt-key list

# Take the last 8 bytes from the key hash and move that key
apt-key export HASH | sudo gpg --dearmour -o /usr/share/keyrings/NAME.gpg

# Add the signed-by info to the list file
[signed-by=/usr/share/keyrings/NAME.gpg]

# Verify that it works and then delete the key from deprecated storage
apt-key del HASH

However, when the next Ansible run uses apt_repository, then this brings back the old line and that will then cause a failure about conflicting keys.

Ideally, we should update all Ansible roles to use a more explicit method, which first downloads the key and then uses that in the apt repo list. Something like this:

    - name: Download key
      get_url:
        url: https://download.example.com/linux/ubuntu/gpg
        dest: /usr/share/keyrings/NAME.gpg

    - name: Add repo
      apt_repository:
        repo: "deb [arch=amd64 signed-by=/usr/share/keyrings/NAME.gpg] https://download.example.com/linux/ubuntu {{ ansible_distribution_release }} stable"
        state: present

Edited Jan 07, 2024 by jurgenhaas

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information