From 5adcaf45384771360b113b1b8ddb66f98b6fbe53 Mon Sep 17 00:00:00 2001 From: julianladisch Date: Fri, 14 Sep 2018 21:50:46 +0200 Subject: [PATCH] Suggest full fingerprint for apt_key. (#44697) * Suggest full fingerprint for apt_key. Background: https://gwolf.org/node/4070 (Gunnar Wolf: Stop it with those short PGP key IDs!) I've put the full fingerprint into the examples. * avoids the phrase 'best practice' --- lib/ansible/modules/packaging/os/apt_key.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/ansible/modules/packaging/os/apt_key.py b/lib/ansible/modules/packaging/os/apt_key.py index 11c1ac5656b..137404ec701 100644 --- a/lib/ansible/modules/packaging/os/apt_key.py +++ b/lib/ansible/modules/packaging/os/apt_key.py @@ -25,7 +25,9 @@ description: notes: - Doesn't download the key unless it really needs it. - As a sanity check, downloaded key id must match the one specified. - - Best practice is to specify the key id and the URL. + - "Use full fingerprint (40 characters) key ids to avoid key collisions. + To generate a full-fingerprint imported key: C(apt-key adv --list-public-keys --with-fingerprint --with-colons)." + - If you specify both the key id and the URL with C(state=present), the task can verify or add the key as needed. - Adding a new key requires an apt cache update (e.g. using the apt module's update_cache option) options: id: @@ -77,13 +79,13 @@ EXAMPLES = ''' - name: Add an Apt signing key, will not download if present apt_key: - id: 473041FA + id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA url: https://ftp-master.debian.org/keys/archive-key-6.0.asc state: present - name: Remove a Apt specific signing key, leading 0x is valid apt_key: - id: 0x473041FA + id: 0x9FED2BCBDCD29CDF762678CBAED4B06F473041FA state: absent # Use armored file since utf-8 string is expected. Must be of "PGP PUBLIC KEY BLOCK" type. @@ -94,13 +96,13 @@ EXAMPLES = ''' - name: Add an Apt signing key to a specific keyring file apt_key: - id: 473041FA + id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA url: https://ftp-master.debian.org/keys/archive-key-6.0.asc keyring: /etc/apt/trusted.gpg.d/debian.gpg - name: Add Apt signing key on remote server to keyring apt_key: - id: 473041FA + id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA file: /tmp/apt.gpg state: present '''