I'm trying to download and install the Google Cloud SDK apt repository's signing key as a set of Ansible tasks. (i.e., Converting the manual process outlined here into Ansible).
This is what I've come up with:
- name: Install the Google Cloud SDK package repository signing key
ansible.builtin.apt_key:
url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
keyring: /usr/share/keyrings/cloud.google.gpg
- name: Add Google Cloud SDK package repository source
ansible.builtin.apt_repository:
filename: google-cloud-sdk.list
repo: "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main"
update_cache: yes
However, my first task fails, with a big GnuPG error. Here's the Ansible failure JSON:
{
"changed": false,
"msg": "Unable to extract key from '-'",
"stderr": "gpg: WARNING: no command supplied. Trying to guess what you mean ...\ngpg: [don't know]: invalid packet (ctb=0a)\n",
"stderr_lines": [
"gpg: WARNING: no command supplied. Trying to guess what you mean ...",
"gpg: [don't know]: invalid packet (ctb=0a)"
],
"stdout": "pub:-:2048:1:FEEA9169307EA071:1614614617:1677728521::-:\nuid:::::::::Rapture Automatic Signing Key (cloud-rapture-signing-key-2021-03-01-08_01_09.pub):\nsub:-:2048:1:AA42F36EE8BEEE0E:1614614617::::\npub:-:2048:1:8B57C5C2836F4BEB:1607040606:1670154510::-:\nuid:::::::::gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <glinux-team@google.com>:\nsub:-:2048:1:48419E688DD52AC0:1607040606::::\n",
"stdout_lines": [
"pub:-:2048:1:FEEA9169307EA071:1614614617:1677728521::-:",
"uid:::::::::Rapture Automatic Signing Key (cloud-rapture-signing-key-2021-03-01-08_01_09.pub):",
"sub:-:2048:1:AA42F36EE8BEEE0E:1614614617::::",
"pub:-:2048:1:8B57C5C2836F4BEB:1607040606:1670154510::-:",
"uid:::::::::gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <glinux-team@google.com>:",
"sub:-:2048:1:48419E688DD52AC0:1607040606::::"
]
}
If I download the file from Google (with get_url) and add the key that way -- which doesn't seem necessary, from my understanding of the documentation -- it progresses, but then the second task fails (because the key's not found).
I assume I'm using apt_key and apt_repository incorrectly, but I don't know how. Can it be done this way, or would it be easier to just shell out?
Apparently apt-key is deprecated. I got it to work with:
- name: Download the Google Cloud SDK package repository signing key
ansible.builtin.get_url:
url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
dest: /etc/apt/trusted.gpg.d/gcloud.gpg
- name: Add Google Cloud SDK package repository source
ansible.builtin.apt_repository:
filename: google-cloud-sdk.list
repo: "deb [signed-by=/etc/apt/trusted.gpg.d/gcloud.gpg] https://packages.cloud.google.com/apt cloud-sdk main"
update_cache: yes