# -*- coding: utf-8 -*- # Copyright: (c) 2012, Michael DeHaan # Copyright: (c) 2012, Jayson Vantuyl # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) from __future__ import annotations DOCUMENTATION = ''' --- module: apt_key author: - Jayson Vantuyl (@jvantuyl) version_added: "1.0" short_description: Add or remove an apt key description: - Add or remove an I(apt) key, optionally downloading it. extends_documentation_fragment: action_common_attributes attributes: check_mode: support: full diff_mode: support: none platform: platforms: debian notes: - The apt-key command used by this module has been deprecated. See the L(Debian wiki,https://wiki.debian.org/DebianRepository/UseThirdParty) for details. This module is kept for backwards compatibility for systems that still use apt-key as the main way to manage apt repository keys. - As a sanity check, downloaded key id must match the one specified. - "Use full fingerprint (40 characters) key ids to avoid key collisions. To generate a full-fingerprint imported key: C(apt-key adv --list-public-keys --with-fingerprint --with-colons)." - If you specify both the key id and the URL with O(state=present), the task can verify or add the key as needed. - Adding a new key requires an apt cache update (e.g. using the M(ansible.builtin.apt) module's update_cache option). requirements: - gpg seealso: - module: ansible.builtin.deb822_repository options: id: description: - The identifier of the key. - Including this allows check mode to correctly report the changed state. - If specifying a subkey's id be aware that apt-key does not understand how to remove keys via a subkey id. Specify the primary key's id instead. - This parameter is required when O(state) is set to V(absent). type: str data: description: - The keyfile contents to add to the keyring. type: str file: description: - The path to a keyfile on the remote server to add to the keyring. type: path keyring: description: - The full path to specific keyring file in C(/etc/apt/trusted.gpg.d/). type: path version_added: "1.3" url: description: - The URL to retrieve key from. type: str keyserver: description: - The keyserver to retrieve key from. type: str version_added: "1.6" state: description: - Ensures that the key is present (added) or absent (revoked). type: str choices: [ absent, present ] default: present validate_certs: description: - If V(false), SSL certificates for the target url will not be validated. This should only be used on personally controlled sites using self-signed certificates. type: bool default: 'yes' ''' EXAMPLES = ''' - name: One way to avoid apt_key once it is removed from your distro, armored keys should use .asc extension, binary should use .gpg block: - name: somerepo | no apt key ansible.builtin.get_url: url: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x36a1d7869245c8950f966e92d8576a8ba88d21e9 dest: /etc/apt/keyrings/myrepo.asc checksum: sha256:bb42f0db45d46bab5f9ec619e1a47360b94c27142e57aa71f7050d08672309e0 - name: somerepo | apt source ansible.builtin.apt_repository: repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/myrepo.asc] https://download.example.com/linux/ubuntu {{ ansible_distribution_release }} stable" state: present - name: Add an apt key by id from a keyserver ansible.builtin.apt_key: keyserver: keyserver.ubuntu.com id: 36A1D7869245C8950F966E92D8576A8BA88D21E9 - name: Add an Apt signing key, uses whichever key is at the URL ansible.builtin.apt_key: url: https://ftp-master.debian.org/keys/archive-key-6.0.asc state: present - name: Add an Apt signing key, will not download if present ansible.builtin.apt_key: id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA url: https://ftp-master.debian.org/keys/archive-key-6.0.asc state: present - name: Remove a Apt specific signing key, leading 0x is valid ansible.builtin.apt_key: id: 0x9FED2BCBDCD29CDF762678CBAED4B06F473041FA state: absent # Use armored file since utf-8 string is expected. Must be of "PGP PUBLIC KEY BLOCK" type. - name: Add a key from a file on the Ansible server ansible.builtin.apt_key: data: "{{ lookup('ansible.builtin.file', 'apt.asc') }}" state: present - name: Add an Apt signing key to a specific keyring file ansible.builtin.apt_key: id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA url: https://ftp-master.debian.org/keys/archive-key-6.0.asc keyring: /etc/apt/trusted.gpg.d/debian.gpg - name: Add Apt signing key on remote server to keyring ansible.builtin.apt_key: id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA file: /tmp/apt.gpg state: present ''' RETURN = ''' after: description: List of apt key ids or fingerprints after any modification returned: on change type: list sample: ["D8576A8BA88D21E9", "3B4FE6ACC0B21F32", "D94AA3F0EFE21092", "871920D1991BC93C"] before: description: List of apt key ids or fingprints before any modifications returned: always type: list sample: ["3B4FE6ACC0B21F32", "D94AA3F0EFE21092", "871920D1991BC93C"] fp: description: Fingerprint of the key to import returned: always type: str sample: "D8576A8BA88D21E9" id: description: key id from source returned: always type: str sample: "36A1D7869245C8950F966E92D8576A8BA88D21E9" key_id: description: calculated key id, it should be same as 'id', but can be different returned: always type: str sample: "36A1D7869245C8950F966E92D8576A8BA88D21E9" short_id: description: calculated short key id returned: always type: str sample: "A88D21E9" ''' import os # FIXME: standardize into module_common from traceback import format_exc from ansible.module_utils.common.text.converters import to_native from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.common.locale import get_best_parsable_locale from ansible.module_utils.urls import fetch_url apt_key_bin = None gpg_bin = None locale = None def lang_env(module): if not hasattr(lang_env, 'result'): locale = get_best_parsable_locale(module) lang_env.result = dict(LANG=locale, LC_ALL=locale, LC_MESSAGES=locale) return lang_env.result def find_needed_binaries(module): global apt_key_bin global gpg_bin apt_key_bin = module.get_bin_path('apt-key', required=True) gpg_bin = module.get_bin_path('gpg', required=True) def add_http_proxy(cmd): for envvar in ('HTTPS_PROXY', 'https_proxy', 'HTTP_PROXY', 'http_proxy'): proxy = os.environ.get(envvar) if proxy: break if proxy: cmd += ' --keyserver-options http-proxy=%s' % proxy return cmd def parse_key_id(key_id): """validate the key_id and break it into segments :arg key_id: The key_id as supplied by the user. A valid key_id will be 8, 16, or more hexadecimal chars with an optional leading ``0x``. :returns: The portion of key_id suitable for apt-key del, the portion suitable for comparisons with --list-public-keys, and the portion that can be used with --recv-key. If key_id is long enough, these will be the last 8 characters of key_id, the last 16 characters, and all of key_id. If key_id is not long enough, some of the values will be the same. * apt-key del <= 1.10 has a bug with key_id != 8 chars * apt-key adv --list-public-keys prints 16 chars * apt-key adv --recv-key can take more chars """ # Make sure the key_id is valid hexadecimal int(to_native(key_id), 16) key_id = key_id.upper() if key_id.startswith('0X'): key_id = key_id[2:] key_id_len = len(key_id) if (key_id_len != 8 and key_id_len != 16) and key_id_len <= 16: raise ValueError('key_id must be 8, 16, or 16+ hexadecimal characters in length') short_key_id = key_id[-8:] fingerprint = key_id if key_id_len > 16: fingerprint = key_id[-16:] return short_key_id, fingerprint, key_id def parse_output_for_keys(output, short_format=False): found = [] lines = to_native(output).split('\n') for line in lines: if (line.startswith("pub") or line.startswith("sub")) and "expired" not in line: try: # apt key format tokens = line.split() code = tokens[1] (len_type, real_code) = code.split("/") except (IndexError, ValueError): # gpg format try: tokens = line.split(':') real_code = tokens[4] except (IndexError, ValueError): # invalid line, skip continue found.append(real_code) if found and short_format: found = shorten_key_ids(found) return found def all_keys(module, keyring, short_format): if keyring is not None: cmd = "%s --keyring %s adv --list-public-keys --keyid-format=long" % (apt_key_bin, keyring) else: cmd = "%s adv --list-public-keys --keyid-format=long" % apt_key_bin (rc, out, err) = module.run_command(cmd) if rc != 0: module.fail_json(msg="Unable to list public keys", cmd=cmd, rc=rc, stdout=out, stderr=err) return parse_output_for_keys(out, short_format) def shorten_key_ids(key_id_list): """ Takes a list of key ids, and converts them to the 'short' format, by reducing them to their last 8 characters. """ short = [] for key in key_id_list: short.append(key[-8:]) return short def download_key(module, url): try: # note: validate_certs and other args are pulled from module directly rsp, info = fetch_url(module, url, use_proxy=True) if info['status'] != 200: module.fail_json(msg="Failed to download key at %s: %s" % (url, info['msg'])) return rsp.read() except Exception: module.fail_json(msg="error getting key id from url: %s" % url, traceback=format_exc()) def get_key_id_from_file(module, filename, data=None): native_data = to_native(data) is_armored = native_data.find("-----BEGIN PGP PUBLIC KEY BLOCK-----") >= 0 key = None cmd = [gpg_bin, '--with-colons', filename] (rc, out, err) = module.run_command(cmd, environ_update=lang_env(module), data=(native_data if is_armored else data), binary_data=not is_armored) if rc != 0: module.fail_json(msg="Unable to extract key from '%s'" % ('inline data' if data is not None else filename), stdout=out, stderr=err) keys = parse_output_for_keys(out) # assume we only want first key? if keys: key = keys[0] return key def get_key_id_from_data(module, data): return get_key_id_from_file(module, '-', data) def import_key(module, keyring, keyserver, key_id): if keyring: cmd = "%s --keyring %s adv --no-tty --keyserver %s" % (apt_key_bin, keyring, keyserver) else: cmd = "%s adv --no-tty --keyserver %s" % (apt_key_bin, keyserver) # check for proxy cmd = add_http_proxy(cmd) # add recv argument as last one cmd = "%s --recv %s" % (cmd, key_id) for retry in range(5): (rc, out, err) = module.run_command(cmd, environ_update=lang_env(module)) if rc == 0: break else: # Out of retries if rc == 2 and 'not found on keyserver' in out: msg = 'Key %s not found on keyserver %s' % (key_id, keyserver) module.fail_json(cmd=cmd, msg=msg, forced_environment=lang_env(module)) else: msg = "Error fetching key %s from keyserver: %s" % (key_id, keyserver) module.fail_json(cmd=cmd, msg=msg, forced_environment=lang_env(module), rc=rc, stdout=out, stderr=err) return True def add_key(module, keyfile, keyring, data=None): if data is not None: if keyring: cmd = "%s --keyring %s add -" % (apt_key_bin, keyring) else: cmd = "%s add -" % apt_key_bin (rc, out, err) = module.run_command(cmd, data=data, binary_data=True) if rc != 0: module.fail_json( msg="Unable to add a key from binary data", cmd=cmd, rc=rc, stdout=out, stderr=err, ) else: if keyring: cmd = "%s --keyring %s add %s" % (apt_key_bin, keyring, keyfile) else: cmd = "%s add %s" % (apt_key_bin, keyfile) (rc, out, err) = module.run_command(cmd) if rc != 0: module.fail_json( msg="Unable to add a key from file %s" % (keyfile), cmd=cmd, rc=rc, keyfile=keyfile, stdout=out, stderr=err, ) return True def remove_key(module, key_id, keyring): if keyring: cmd = '%s --keyring %s del %s' % (apt_key_bin, keyring, key_id) else: cmd = '%s del %s' % (apt_key_bin, key_id) (rc, out, err) = module.run_command(cmd) if rc != 0: module.fail_json( msg="Unable to remove a key with id %s" % (key_id), cmd=cmd, rc=rc, key_id=key_id, stdout=out, stderr=err, ) return True def main(): module = AnsibleModule( argument_spec=dict( id=dict(type='str'), url=dict(type='str'), data=dict(type='str'), file=dict(type='path'), keyring=dict(type='path'), validate_certs=dict(type='bool', default=True), keyserver=dict(type='str'), state=dict(type='str', default='present', choices=['absent', 'present']), ), supports_check_mode=True, mutually_exclusive=(('data', 'file', 'keyserver', 'url'),), ) # parameters key_id = module.params['id'] url = module.params['url'] data = module.params['data'] filename = module.params['file'] keyring = module.params['keyring'] state = module.params['state'] keyserver = module.params['keyserver'] # internal vars short_format = False short_key_id = None fingerprint = None error_no_error = "apt-key did not return an error, but %s (check that the id is correct and *not* a subkey)" # ensure we have requirements met find_needed_binaries(module) # initialize result dict r = {'changed': False} if not key_id: if keyserver: module.fail_json(msg="Missing key_id, required with keyserver.") if url: data = download_key(module, url) if filename: key_id = get_key_id_from_file(module, filename) elif data: key_id = get_key_id_from_data(module, data) r['id'] = key_id try: short_key_id, fingerprint, key_id = parse_key_id(key_id) r['short_id'] = short_key_id r['fp'] = fingerprint r['key_id'] = key_id except ValueError: module.fail_json(msg='Invalid key_id', **r) if not fingerprint: # invalid key should fail well before this point, but JIC ... module.fail_json(msg="Unable to continue as we could not extract a valid fingerprint to compare against existing keys.", **r) if len(key_id) == 8: short_format = True # get existing keys to verify if we need to change r['before'] = keys = all_keys(module, keyring, short_format) keys2 = [] if state == 'present': if (short_format and short_key_id not in keys) or (not short_format and fingerprint not in keys): r['changed'] = True if not module.check_mode: if filename: add_key(module, filename, keyring) elif keyserver: import_key(module, keyring, keyserver, key_id) elif data: # this also takes care of url if key_id was not provided add_key(module, "-", keyring, data) elif url: # we hit this branch only if key_id is supplied with url data = download_key(module, url) add_key(module, "-", keyring, data) else: module.fail_json(msg="No key to add ... how did i get here?!?!", **r) # verify it got added r['after'] = keys2 = all_keys(module, keyring, short_format) if (short_format and short_key_id not in keys2) or (not short_format and fingerprint not in keys2): module.fail_json(msg=error_no_error % 'failed to add the key', **r) elif state == 'absent': if not key_id: module.fail_json(msg="key is required to remove a key", **r) if fingerprint in keys: r['changed'] = True if not module.check_mode: # we use the "short" id: key_id[-8:], short_format=True # it's a workaround for https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1481871 if short_key_id is not None and remove_key(module, short_key_id, keyring): r['after'] = keys2 = all_keys(module, keyring, short_format) if fingerprint in keys2: module.fail_json(msg=error_no_error % 'the key was not removed', **r) else: module.fail_json(msg="error removing key_id", **r) module.exit_json(**r) if __name__ == '__main__': main()