From fffda2c40dc40c1d66c27b285ad5f5d9ebce1e5e Mon Sep 17 00:00:00 2001
From: nevart <nevart@systemli.org>
Date: Thu, 15 Jun 2023 14:34:07 +0000
Subject: [PATCH] APT key: don't force and provide checksum, to fix check mode

As described in https://github.com/ansible/ansible/issues/65687, get_url
only partially supports check_mode: "the changed status will reflect
comparison to an empty source file".

Before this change, executing this code, with the key already being in
place on the target system, would report "OK", while check_mode would
report "changed".

Due to this change, both now either report "OK" or "changed", depending
on the state of the target system.
---
 tasks/setup-Debian.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tasks/setup-Debian.yml b/tasks/setup-Debian.yml
index 0abcd173..ec45440b 100644
--- a/tasks/setup-Debian.yml
+++ b/tasks/setup-Debian.yml
@@ -31,7 +31,8 @@
     url: "{{ docker_apt_gpg_key }}"
     dest: /etc/apt/trusted.gpg.d/docker.asc
     mode: '0644'
-    force: true
+    force: false
+    checksum: sha256:1500c1f56fa9e26b9b8f42452a553675796ade0807cdce11975eb98170b3a570
   register: add_repository_key
   ignore_errors: "{{ docker_apt_ignore_key_error }}"
   when: docker_add_repo | bool