W3cubDocs

apt_key – Add or remove an apt key

Synopsis
Requirements
Parameters
Notes
Examples
Status

Synopsis

Add or remove an apt key, optionally downloading it.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter	Choices/Defaults	Comments
data -		The keyfile contents to add to the keyring.
file -		The path to a keyfile on the remote server to add to the keyring.
id -		The identifier of the key. Including this allows check mode to correctly report the changed state. If specifying a subkey's id be aware that apt-key does not understand how to remove keys via a subkey id. Specify the primary key's id instead. This parameter is required when `state` is set to `absent`.
keyring -		The full path to specific keyring file in /etc/apt/trusted.gpg.d/
keyserver -		The keyserver to retrieve key from.
state -	Choices: absent present ←	Ensures that the key is present (added) or absent (revoked).
url -		The URL to retrieve key from.
validate_certs boolean	Choices: no yes ←	If `no`, SSL certificates for the target url will not be validated. This should only be used on personally controlled sites using self-signed certificates.

Notes

Note

Doesn’t download the key unless it really needs it.
As a sanity check, downloaded key id must match the one specified.
Use full fingerprint (40 characters) key ids to avoid key collisions. To generate a full-fingerprint imported key: apt-key adv --list-public-keys --with-fingerprint --with-colons.
If you specify both the key id and the URL with state=present, the task can verify or add the key as needed.
Adding a new key requires an apt cache update (e.g. using the apt module’s update_cache option)

Examples

- name: Add an apt key by id from a keyserver
  apt_key:
    keyserver: keyserver.ubuntu.com
    id: 36A1D7869245C8950F966E92D8576A8BA88D21E9

- name: Add an Apt signing key, uses whichever key is at the URL
  apt_key:
    url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
    state: present

- name: Add an Apt signing key, will not download if present
  apt_key:
    id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
    url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
    state: present

- name: Remove a Apt specific signing key, leading 0x is valid
  apt_key:
    id: 0x9FED2BCBDCD29CDF762678CBAED4B06F473041FA
    state: absent

# Use armored file since utf-8 string is expected. Must be of "PGP PUBLIC KEY BLOCK" type.
- name: Add a key from a file on the Ansible server.
  apt_key:
    data: "{{ lookup('file', 'apt.asc') }}"
    state: present

- name: Add an Apt signing key to a specific keyring file
  apt_key:
    id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
    url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
    keyring: /etc/apt/trusted.gpg.d/debian.gpg

- name: Add Apt signing key on remote server to keyring
  apt_key:
    id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
    file: /tmp/apt.gpg
    state: present

Status

This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Core Team. [core]

Red Hat Support

More information about Red Hat’s support of this module is available from this Red Hat Knowledge Base article.

Authors

Jayson Vantuyl (@jvantuyl)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/apt_key_module.html