From 24d29c3a525c7c353fe716cd43c0979fdd2ebde2 Mon Sep 17 00:00:00 2001
From: Cameron Hyde <chyde@neoformit.com>
Date: Fri, 15 Aug 2025 13:36:40 +1000
Subject: [PATCH 1/4] Proper signing of debian GPG keys

---
 tasks/init_debian.yml | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/tasks/init_debian.yml b/tasks/init_debian.yml
index a8a4548..245d119 100644
--- a/tasks/init_debian.yml
+++ b/tasks/init_debian.yml
@@ -5,33 +5,45 @@
       - apt-transport-https
       - ca-certificates
 
-- name: Install CernVM apt key
+- name: Remove old CernVM GPG key from legacy keyring
   ansible.builtin.apt_key:
     url: https://cvmrepo.web.cern.ch/cvmrepo/apt/cernvm.gpg
+    state: absent
+  ignore_errors: true
+
+- name: Download CernVM GPG key
+  ansible.builtin.get_url:
+    url: https://cvmrepo.web.cern.ch/cvmrepo/apt/cernvm.gpg
+    dest: /usr/share/keyrings/cernvm.gpg
+    mode: '0644'
 
 - name: Configure CernVM apt repository
   ansible.builtin.apt_repository:
-    filename: cernvm.list
+    filename: cernvm
     mode: 422
-    repo: deb [allow-insecure=true] https://cvmrepo.web.cern.ch/cvmrepo/apt/ {{ ansible_distribution_release }}-prod main
+    repo: deb [signed-by=/usr/share/keyrings/cernvm.gpg] https://cvmrepo.web.cern.ch/cvmrepo/apt/ {{ ansible_distribution_release }}-prod main
   when: ansible_distribution != 'Ubuntu'
 
 - name: Configure CernVM apt repository
   ansible.builtin.apt_repository:
-    filename: cernvm.list
+    filename: cernvm
     mode: 422
-    repo: deb [allow-insecure=true] https://cvmrepo.web.cern.ch/cvmrepo/apt/ {{ ansible_distribution_release }}-prod main
+    repo: deb [signed-by=/usr/share/keyrings/cernvm.gpg] https://cvmrepo.web.cern.ch/cvmrepo/apt/ {{ ansible_distribution_release }}-prod main
   when: ansible_distribution == 'Ubuntu' and ansible_distribution_release in ('bionic', 'xenial', 'precise', 'focal', 'jammy', 'noble')
 
 # There are no packages for any of the non LTS versions so good
 # luck and have fun if that's you.
 - name: Configure CernVM apt repository
   ansible.builtin.apt_repository:
-    filename: cernvm.list
+    filename: cernvm
     mode: 422
-    repo: deb [allow-insecure=true] https://cvmrepo.web.cern.ch/cvmrepo/apt/ xenial-prod main
+    repo: deb [signed-by=/usr/share/keyrings/cernvm.gpg] https://cvmrepo.web.cern.ch/cvmrepo/apt/ xenial-prod main
   when: ansible_distribution == 'Ubuntu' and ansible_distribution_release not in ('bionic', 'xenial', 'precise', 'focal', 'jammy', 'noble')
 
+- name: Update apt cache after key changes
+  ansible.builtin.apt:
+    update_cache: yes
+
 - name: Install CernVM-FS packages and dependencies (apt)
   ansible.builtin.apt:
     name: "{{ cvmfs_packages[_cvmfs_role] }}"

From a9dde42ee066b741b5bb31238e062e3fc6d0c584 Mon Sep 17 00:00:00 2001
From: Cameron Hyde <chyde@neoformit.com>
Date: Fri, 15 Aug 2025 14:05:29 +1000
Subject: [PATCH 2/4] apt repo signing method depends on ubuntu releases

---
 tasks/init_debian.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/tasks/init_debian.yml b/tasks/init_debian.yml
index 245d119..a3c9a5e 100644
--- a/tasks/init_debian.yml
+++ b/tasks/init_debian.yml
@@ -24,12 +24,19 @@
     repo: deb [signed-by=/usr/share/keyrings/cernvm.gpg] https://cvmrepo.web.cern.ch/cvmrepo/apt/ {{ ansible_distribution_release }}-prod main
   when: ansible_distribution != 'Ubuntu'
 
+- name: Configure CernVM apt repository
+  ansible.builtin.apt_repository:
+    filename: cernvm.list
+    mode: 422
+    repo: deb [allow-insecure=true] https://cvmrepo.web.cern.ch/cvmrepo/apt/ {{ ansible_distribution_release }}-prod main
+  when: ansible_distribution == 'Ubuntu' and ansible_distribution_release in ('bionic', 'xenial', 'precise', 'focal')
+
 - name: Configure CernVM apt repository
   ansible.builtin.apt_repository:
     filename: cernvm
     mode: 422
     repo: deb [signed-by=/usr/share/keyrings/cernvm.gpg] https://cvmrepo.web.cern.ch/cvmrepo/apt/ {{ ansible_distribution_release }}-prod main
-  when: ansible_distribution == 'Ubuntu' and ansible_distribution_release in ('bionic', 'xenial', 'precise', 'focal', 'jammy', 'noble')
+  when: ansible_distribution == 'Ubuntu' and ansible_distribution_release in ('jammy', 'noble')
 
 # There are no packages for any of the non LTS versions so good
 # luck and have fun if that's you.

From c742a4be14efc0474b4c049b6e3130fb68fe1bf4 Mon Sep 17 00:00:00 2001
From: Cameron Hyde <chyde@neoformit.com>
Date: Fri, 15 Aug 2025 14:06:09 +1000
Subject: [PATCH 3/4] Only replace old key for modern ubuntu releases

---
 tasks/init_debian.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tasks/init_debian.yml b/tasks/init_debian.yml
index a3c9a5e..a9e77dd 100644
--- a/tasks/init_debian.yml
+++ b/tasks/init_debian.yml
@@ -10,12 +10,14 @@
     url: https://cvmrepo.web.cern.ch/cvmrepo/apt/cernvm.gpg
     state: absent
   ignore_errors: true
+  when: ansible_distribution == 'Ubuntu' and ansible_distribution_release in ('jammy', 'noble')
 
 - name: Download CernVM GPG key
   ansible.builtin.get_url:
     url: https://cvmrepo.web.cern.ch/cvmrepo/apt/cernvm.gpg
     dest: /usr/share/keyrings/cernvm.gpg
     mode: '0644'
+  when: ansible_distribution == 'Ubuntu' and ansible_distribution_release in ('jammy', 'noble')
 
 - name: Configure CernVM apt repository
   ansible.builtin.apt_repository:

From db172bc079a55e6bda07761c456c80cfbdd474e9 Mon Sep 17 00:00:00 2001
From: Cameron Hyde <chyde@neoformit.com>
Date: Fri, 15 Aug 2025 14:40:42 +1000
Subject: [PATCH 4/4] Update task names

---
 tasks/init_debian.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tasks/init_debian.yml b/tasks/init_debian.yml
index a9e77dd..a467419 100644
--- a/tasks/init_debian.yml
+++ b/tasks/init_debian.yml
@@ -19,21 +19,21 @@
     mode: '0644'
   when: ansible_distribution == 'Ubuntu' and ansible_distribution_release in ('jammy', 'noble')
 
-- name: Configure CernVM apt repository
+- name: Configure CernVM apt repository for non-Ubuntu distributions
   ansible.builtin.apt_repository:
     filename: cernvm
     mode: 422
     repo: deb [signed-by=/usr/share/keyrings/cernvm.gpg] https://cvmrepo.web.cern.ch/cvmrepo/apt/ {{ ansible_distribution_release }}-prod main
   when: ansible_distribution != 'Ubuntu'
 
-- name: Configure CernVM apt repository
+- name: Configure CernVM apt repository for older Ubuntu releases
   ansible.builtin.apt_repository:
     filename: cernvm.list
     mode: 422
     repo: deb [allow-insecure=true] https://cvmrepo.web.cern.ch/cvmrepo/apt/ {{ ansible_distribution_release }}-prod main
   when: ansible_distribution == 'Ubuntu' and ansible_distribution_release in ('bionic', 'xenial', 'precise', 'focal')
 
-- name: Configure CernVM apt repository
+- name: Configure CernVM apt repository for modern Ubuntu releases
   ansible.builtin.apt_repository:
     filename: cernvm
     mode: 422
@@ -42,7 +42,7 @@
 
 # There are no packages for any of the non LTS versions so good
 # luck and have fun if that's you.
-- name: Configure CernVM apt repository
+- name: Configure CernVM apt repository for non-LTS Ubuntu releases
   ansible.builtin.apt_repository:
     filename: cernvm
     mode: 422