From 5adcaf45384771360b113b1b8ddb66f98b6fbe53 Mon Sep 17 00:00:00 2001
From: julianladisch <julianladisch@users.noreply.github.com>
Date: Fri, 14 Sep 2018 21:50:46 +0200
Subject: [PATCH] Suggest full fingerprint for apt_key. (#44697)

* Suggest full fingerprint for apt_key.
Background: https://gwolf.org/node/4070 (Gunnar Wolf: Stop it with those short PGP key IDs!)
I've put the full fingerprint into the examples.
* avoids the phrase 'best practice'
---
 lib/ansible/modules/packaging/os/apt_key.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/lib/ansible/modules/packaging/os/apt_key.py b/lib/ansible/modules/packaging/os/apt_key.py
index 11c1ac5656b..137404ec701 100644
--- a/lib/ansible/modules/packaging/os/apt_key.py
+++ b/lib/ansible/modules/packaging/os/apt_key.py
@@ -25,7 +25,9 @@ description:
 notes:
     - Doesn't download the key unless it really needs it.
     - As a sanity check, downloaded key id must match the one specified.
-    - Best practice is to specify the key id and the URL.
+    - "Use full fingerprint (40 characters) key ids to avoid key collisions.
+      To generate a full-fingerprint imported key: C(apt-key adv --list-public-keys --with-fingerprint --with-colons)."
+    - If you specify both the key id and the URL with C(state=present), the task can verify or add the key as needed.
     - Adding a new key requires an apt cache update (e.g. using the apt module's update_cache option)
 options:
     id:
@@ -77,13 +79,13 @@ EXAMPLES = '''
 
 - name: Add an Apt signing key, will not download if present
   apt_key:
-    id: 473041FA
+    id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
     url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
     state: present
 
 - name: Remove a Apt specific signing key, leading 0x is valid
   apt_key:
-    id: 0x473041FA
+    id: 0x9FED2BCBDCD29CDF762678CBAED4B06F473041FA
     state: absent
 
 # Use armored file since utf-8 string is expected. Must be of "PGP PUBLIC KEY BLOCK" type.
@@ -94,13 +96,13 @@ EXAMPLES = '''
 
 - name: Add an Apt signing key to a specific keyring file
   apt_key:
-    id: 473041FA
+    id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
     url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
     keyring: /etc/apt/trusted.gpg.d/debian.gpg
 
 - name: Add Apt signing key on remote server to keyring
   apt_key:
-    id: 473041FA
+    id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
     file: /tmp/apt.gpg
     state: present
 '''