From 0462aa77fedc5cc780ec67923cc0f68c2d36efb2 Mon Sep 17 00:00:00 2001
From: Ryan Taylor <1686627+rptaylor@users.noreply.github.com>
Date: Mon, 15 Sep 2025 12:00:04 -0700
Subject: [PATCH] add new CVMFS signing key

---
 tasks/keys.yml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/tasks/keys.yml b/tasks/keys.yml
index fc5f80f..6732ac9 100644
--- a/tasks/keys.yml
+++ b/tasks/keys.yml
@@ -9,12 +9,17 @@
 #	- the CVMFS configuration repository contains the public CVMFS keys for all other Compute Canada CVMFS repositories
 #	- the other CVMFS repositories contain all Compute Canada software (and other content)
 
-- name: Install CernVM GPG key
-  rpm_key:
-    key: https://cvmrepo.web.cern.ch/cvmrepo/yum/RPM-GPG-KEY-CernVM
+- name: Install CernVM GPG keys
+  ansible.builtin.rpm_key:
+    key: "{{ item.key }}"
     state: present
     validate_certs: yes
-    fingerprint: "70B9 8904 8820 8E31 5ED4  5208 230D 389D 8AE4 5CE7"
+    fingerprint: "{{ item.fingerprint }}"
+  loop:
+    # 2024
+    - { key: "https://cvmrepo.web.cern.ch/cvmrepo/yum/RPM-GPG-KEY-CernVM-2048", fingerprint: "FD80 468D 49B3 B24C 3417  41FC 8CE0 A76C 497E A957" }
+    # older key, to be eventually removed
+    - { key: "https://cvmrepo.web.cern.ch/cvmrepo/yum/RPM-GPG-KEY-CernVM",      fingerprint: "70B9 8904 8820 8E31 5ED4  5208 230D 389D 8AE4 5CE7" }
 
 # Also available at https://git.computecanada.ca/cc-cvmfs-public/cvmfs-config/raw/master/RPM-GPG-KEY-CC-CVMFS-1
 - name: Install Compute Canada CVMFS GPG key