Ansible tasks for adding the Google Cloud SDK apt repository signing key

Question

I'm trying to download and install the Google Cloud SDK apt repository's signing key as a set of Ansible tasks. (i.e., Converting the manual process outlined here into Ansible).

This is what I've come up with:

- name: Install the Google Cloud SDK package repository signing key
  ansible.builtin.apt_key:
    url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
    keyring: /usr/share/keyrings/cloud.google.gpg

- name: Add Google Cloud SDK package repository source
  ansible.builtin.apt_repository:
    filename: google-cloud-sdk.list
    repo: "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main"
    update_cache: yes

However, my first task fails, with a big GnuPG error. Here's the Ansible failure JSON:

{
  "changed": false,
  "msg": "Unable to extract key from '-'",
  "stderr": "gpg: WARNING: no command supplied.  Trying to guess what you mean ...\ngpg: [don't know]: invalid packet (ctb=0a)\n",
  "stderr_lines": [
    "gpg: WARNING: no command supplied.  Trying to guess what you mean ...",
    "gpg: [don't know]: invalid packet (ctb=0a)"
  ],
  "stdout": "pub:-:2048:1:FEEA9169307EA071:1614614617:1677728521::-:\nuid:::::::::Rapture Automatic Signing Key (cloud-rapture-signing-key-2021-03-01-08_01_09.pub):\nsub:-:2048:1:AA42F36EE8BEEE0E:1614614617::::\npub:-:2048:1:8B57C5C2836F4BEB:1607040606:1670154510::-:\nuid:::::::::gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <glinux-team@google.com>:\nsub:-:2048:1:48419E688DD52AC0:1607040606::::\n",
  "stdout_lines": [
    "pub:-:2048:1:FEEA9169307EA071:1614614617:1677728521::-:",
    "uid:::::::::Rapture Automatic Signing Key (cloud-rapture-signing-key-2021-03-01-08_01_09.pub):",
    "sub:-:2048:1:AA42F36EE8BEEE0E:1614614617::::",
    "pub:-:2048:1:8B57C5C2836F4BEB:1607040606:1670154510::-:",
    "uid:::::::::gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <glinux-team@google.com>:",
    "sub:-:2048:1:48419E688DD52AC0:1607040606::::"
  ]
}

If I download the file from Google (with get_url) and add the key that way -- which doesn't seem necessary, from my understanding of the documentation -- it progresses, but then the second task fails (because the key's not found).

I assume I'm using apt_key and apt_repository incorrectly, but I don't know how. Can it be done this way, or would it be easier to just shell out?

Answer 1

Apparently apt-key is deprecated. I got it to work with:

- name: Download the Google Cloud SDK package repository signing key
  ansible.builtin.get_url:
    url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
    dest: /etc/apt/trusted.gpg.d/gcloud.gpg

- name: Add Google Cloud SDK package repository source
  ansible.builtin.apt_repository:
    filename: google-cloud-sdk.list
    repo: "deb [signed-by=/etc/apt/trusted.gpg.d/gcloud.gpg] https://packages.cloud.google.com/apt cloud-sdk main"
    update_cache: yes

Answer 2

TL;DR (tested on debian 11) - addendum to Xophmeister's solution:

• use /usr/share/keyrings for 3rd party gpg keys
• put signed-by=/usr/share/keyrings/key.(gpg|asc) in repo definition
• prefer binary signatures (.gpg files), but ascii armored keys seems to work (as long as the extension is .asc)
• no need to install gnupg (as long as you don't use apt-key commands)

Although Xophmeister answer seems to be ok, it misses the whole point for the apt-key deprecation, which is to not add anymore 3rd party keys to the global signing key list. So, the idea is to create a new directory (/usr/share/keyrings, /usr/local/share/keyrings etc) and put there all 3rd party signing keys, and leave trusted.gpg.d only for official debian repositories.

LE: /usr/share/keyrings is present in debian since debian 9 (at least), and this is the default location where you should put the keys; probably in the future /etc/apt/trusted.gpg.d/ will be deprecated (even for debian keys, now only for third party keys)

use .gpg for binary keys (preferred), and .asc for ascii armored; although ascii armored keys are not recommended, because we talk about ansible playbooks it is hard (for now) to write good code (idempotent way) that will get the ascii key and transform it to binary; of course, I guess we can use apt_key module as before and set the destination in the /usr/share/keyrings directory; but as long as it probably uses the apt-key script in the background, this probably is not the best option

so, using get_url and apt_repository I was able to add an ascii armored key and the repository with signed-by=/usr/share/keyrings/key.asc; no need to install gnupg; apt update and apt install worked; binary key is recommended, but seems to work also with ascii armored key