deb822: Puts Keys in wrong directory

[KevinHonka]

Summary

We noticed that the deb822 module puts the keys it downloads into the /etc/apt/keyrings folder. The official documentation says that they should be stored in trusted.gpg.d folder.

This is a show-stopper in adopting the deb822 module, as keys stored in /etc/apt/keyrings will not be loaded on the current Debian 12 cloud image.

Issue Type

Bug Report

Component Name

deb822_repository

Ansible Version

ansible [core 2.16.2]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/kevin/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/kevin/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /home/kevin/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/kevin/.local/bin/ansible
  python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

Configuration

# if using a version older than ansible-core 2.12 you should omit the '-t all'
$ ansible-config dump --only-changed -t all
ANSIBLE_NOCOWS(/etc/ansible/ansible.cfg) = True
CONFIG_FILE() = /etc/ansible/ansible.cfg
DEFAULT_FORKS(/etc/ansible/ansible.cfg) = 30
DEFAULT_REMOTE_USER(/etc/ansible/ansible.cfg) = debian
DEFAULT_STDOUT_CALLBACK(/etc/ansible/ansible.cfg) = yaml
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
RETRY_FILES_ENABLED(/etc/ansible/ansible.cfg) = False

CONNECTION:
==========

paramiko_ssh:
____________
host_key_checking(/etc/ansible/ansible.cfg) = False
remote_user(/etc/ansible/ansible.cfg) = debian
ssh_args(/etc/ansible/ansible.cfg) = -C -o ControlMaster=auto -o ControlPersist=60s

ssh:
___
control_path_dir(/etc/ansible/ansible.cfg) = /tmp/.ansible/cp
host_key_checking(/etc/ansible/ansible.cfg) = False
remote_user(/etc/ansible/ansible.cfg) = debian
ssh_args(/etc/ansible/ansible.cfg) = -C -o ControlMaster=auto -o ControlPersist=60s

OS / Environment

Debian 12

Steps to Reproduce

- name: Install | Add gitlab apt repository
  ansible.builtin.deb822_repository:
    name: gitlab
    components:
      - main
    suites: '{{ ansible_distribution_release }}'
    signed_by: https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey
    types: deb
    uris: 'https://packages.gitlab.com/gitlab/gitlab-ce/{{ ansible_distribution | lower }}/'

Expected Results

The imported key is placed in /etc/apt/trusted.gpg.d

Actual Results

The imported key is placed in `/etc/apt/keyrings`.

This happens because the folder is hard coded in the [deb822 module](https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/deb822_repository.py#L256).

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibot]

Files identified in the description:

None

If these files are incorrect, please update the component name section of the description or use the component bot command.

[KevinHonka]

@ansibot component +lib/ansible/modules/deb822_repository.py

[ansibot]

Files identified in the description:

• lib/ansible/modules/deb822_repository.py

If these files are incorrect, please update the component name section of the description or use the component bot command.

[konstruktoid]

The source file is correct and points to the right location.

~$ cat /etc/apt/sources.list.d/gitlab.sources 
X-Repolib-Name: gitlab
Components: main
Suites: jammy
Signed-By: /etc/apt/keyrings/gitlab.asc
Types: deb
URIs: https://packages.gitlab.com/gitlab/gitlab-ce/ubuntu/

https://manpages.debian.org/bookworm/apt/sources.list.5.en.html:
"Signed-By (signed-by) [...] is specified as a list of absolute paths to keyring files (have to be accessible and readable for the _apt system user, so ensure everyone has read-permissions on the file) and fingerprints of keys to select from these keyrings. The recommended locations for keyrings are /usr/share/keyrings for keyrings managed by packages, and /etc/apt/keyrings for keyrings managed by the system operator."

[KevinHonka]

thanks, this would mean the documentation is wrongly refering to trusted.gpg.d

[konstruktoid]

No, not really.

"Either a URL to a GPG key, absolute path to a keyring file, one or more fingerprints of keys either in the trusted.gpg keyring or in the keyrings in the trusted.gpg.d/ directory, or an ASCII armored GPG public key block."

There are still keys present in /etc/apt/trusted.gpg.d/ that you can use for verification (Signed-by).

~$ lsb_release -d && ls /etc/apt/trusted.gpg.d/
No LSB modules are available.
Description:    Debian GNU/Linux trixie/sid
debian-archive-bookworm-automatic.asc           debian-archive-bookworm-stable.asc     debian-archive-bullseye-security-automatic.asc  debian-archive-buster-automatic.asc           debian-archive-buster-stable.asc
debian-archive-bookworm-security-automatic.asc  debian-archive-bullseye-automatic.asc  debian-archive-bullseye-stable.asc              debian-archive-buster-security-automatic.asc
~$ cat /etc/apt/trusted.gpg.d/debian-archive-bookworm-automatic.asc | gpg --show-keys --dry-run
pub   rsa4096 2023-01-21 [SC] [expires: 2031-01-19]
      B8B80B5B623EAB6AD8775C45B7C5D7D6350947F8
uid                      Debian Archive Automatic Signing Key (12/bookworm) <ftpmaster@debian.org>
sub   rsa4096 2023-01-21 [S] [expires: 2031-01-19]

[sivel]

Closing per above.