Handle apt_key deprecation
Ubuntu has deprecated apt_key
and since Ubuntu 22 this outputs deprecation warnings. They can be removed by cleaning up the keys with these steps:
# Get the list of available keys in deprecated storage
apt-key list
# Take the last 8 bytes from the key hash and move that key
apt-key export HASH | sudo gpg --dearmour -o /usr/share/keyrings/NAME.gpg
# Add the signed-by info to the list file
[signed-by=/usr/share/keyrings/NAME.gpg]
# Verify that it works and then delete the key from deprecated storage
apt-key del HASH
However, when the next Ansible run uses apt_repository
, then this brings back the old line and that will then cause a failure about conflicting keys.
Ideally, we should update all Ansible roles to use a more explicit method, which first downloads the key and then uses that in the apt repo list. Something like this:
- name: Download key
get_url:
url: https://download.example.com/linux/ubuntu/gpg
dest: /usr/share/keyrings/NAME.gpg
- name: Add repo
apt_repository:
repo: "deb [arch=amd64 signed-by=/usr/share/keyrings/NAME.gpg] https://download.example.com/linux/ubuntu {{ ansible_distribution_release }} stable"
state: present