diff --git a/ansible/roles/minitwit/tasks/main.yml b/ansible/roles/minitwit/tasks/main.yml
index 253776b..78baaaa 100644
--- a/ansible/roles/minitwit/tasks/main.yml
+++ b/ansible/roles/minitwit/tasks/main.yml
@@ -30,31 +30,31 @@
     mode: '0750'
   become: true
 
-- name: Download and dearmor Docker GPG key
+- name: Download Docker GPG key (new signing key)
   ansible.builtin.shell: |
-    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
-    gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+    curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /tmp/docker.gpg.raw
+    gpg --dearmor < /tmp/docker.gpg.raw > /etc/apt/keyrings/docker.gpg
     chmod 0644 /etc/apt/keyrings/docker.gpg
+    rm -f /tmp/docker.gpg.raw
   become: true
   changed_when: true
 
-- name: Verify Docker GPG key is valid
-  ansible.builtin.shell: |
-    gpg --no-default-keyring \
-        --keyring /etc/apt/keyrings/docker.gpg \
-        --list-keys
-  become: true
-  register: gpg_check
-  changed_when: false
-
-- name: Show GPG key info
-  ansible.builtin.debug:
-    var: gpg_check.stdout
-
-- name: Add Docker repository
+- name: Add Docker repository with signed-by
   ansible.builtin.apt_repository:
     repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_facts['distribution_release'] }} stable"
     state: present
+    filename: docker
+    update_cache: no
+  become: true
+
+- name: Trust Docker key in apt keyring directly
+  ansible.builtin.shell: |
+    apt-key add /etc/apt/keyrings/docker.gpg
+  become: true
+  changed_when: true
+
+- name: Update apt cache
+  ansible.builtin.apt:
     update_cache: yes
   become: true