From f51d02d81ce9564758695a863a9f53dd8c16ff3f Mon Sep 17 00:00:00 2001 From: Mikkel Clausen Date: Fri, 1 May 2026 23:08:17 +0200 Subject: [PATCH] Refactor Docker GPG key handling: download, dearmor, and trust key in apt keyring Co-authored-by: Claude --- ansible/roles/minitwit/tasks/main.yml | 34 +++++++++++++-------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/ansible/roles/minitwit/tasks/main.yml b/ansible/roles/minitwit/tasks/main.yml index 253776b..78baaaa 100644 --- a/ansible/roles/minitwit/tasks/main.yml +++ b/ansible/roles/minitwit/tasks/main.yml @@ -30,31 +30,31 @@ mode: '0750' become: true -- name: Download and dearmor Docker GPG key +- name: Download Docker GPG key (new signing key) ansible.builtin.shell: | - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \ - gpg --dearmor -o /etc/apt/keyrings/docker.gpg + curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /tmp/docker.gpg.raw + gpg --dearmor < /tmp/docker.gpg.raw > /etc/apt/keyrings/docker.gpg chmod 0644 /etc/apt/keyrings/docker.gpg + rm -f /tmp/docker.gpg.raw become: true changed_when: true -- name: Verify Docker GPG key is valid - ansible.builtin.shell: | - gpg --no-default-keyring \ - --keyring /etc/apt/keyrings/docker.gpg \ - --list-keys - become: true - register: gpg_check - changed_when: false - -- name: Show GPG key info - ansible.builtin.debug: - var: gpg_check.stdout - -- name: Add Docker repository +- name: Add Docker repository with signed-by ansible.builtin.apt_repository: repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_facts['distribution_release'] }} stable" state: present + filename: docker + update_cache: no + become: true + +- name: Trust Docker key in apt keyring directly + ansible.builtin.shell: | + apt-key add /etc/apt/keyrings/docker.gpg + become: true + changed_when: true + +- name: Update apt cache + ansible.builtin.apt: update_cache: yes become: true