Search code examples
ansible

How do I import a gnupg public key using only Ansible?

I am using Ansible role DebOps wpcli: https://docs.debops.org/en/stable-3.1/ansible/roles/wpcli/index.html

The error is:

TASK [debops.debops.wpcli : Verify and install wp-cli binary] ******************
fatal: [webserver]: FAILED! => changed=true 
  cmd: set -o nounset -o pipefail -o errexit && gpg --batch --decrypt --output /usr/local/src/wpcli/wp-cli-2.5.0.phar /usr/local/src/wpcli/wp-cli-2.5.0.phar.gpg && ( install --mode 755 --owner root --group root /usr/local/src/wpcli/wp-cli-2.5.0.phar /usr/local/bin/wp && install --mode 644 --owner root --group root /usr/local/src/wpcli/wp-cli-2.5.0.completion.bash /etc/bash_completion.d/wp-completion ) || ( rm -f /usr/local/src/wpcli/wp-cli-2.5.0.phar && exit 2 )
  delta: '0:00:00.092231'
  end: '2024-09-05 06:45:25.499750'
  msg: non-zero return code
  rc: 2
  start: '2024-09-05 06:45:25.407519'
  stderr: |-
    gpg: directory '/root/.gnupg' created
    gpg: keybox '/root/.gnupg/pubring.kbx' created
    gpg: Signature made Wed May 19 15:24:41 2021 UTC
    gpg:                using RSA key 63AF7AA15067C05616FDDD88A3A2E8F226F0BC06
    gpg:                issuer "releases@wp-cli.org"
    gpg: Can't check signature: No public key
  stderr_lines: <omitted>
  stdout: ''
  stdout_lines: <omitted>

I already know how to fix this using plain Bash shell: Can't check signature: public key not found.
I don't want to fix it with shell commands, but I need to achieve it using Ansible.

My question is: how do I fix this error using Ansible or even better with an existing DebOps role?

Edit based on first answer: I should clarify that this is not in the context of apt-get, there is no APT keyring involved at all. The wpcli role is distribution neutral and works on Debian, Redhat, Suse, Arch, and any other distro that supports Ansible.

Solution

  • By using debops.keyring role.

    Have this in meta/main.yml:

    ---
dependencies:
  - role: debops.debops.keyring
    keyring__dependent_gpg_keys:
      - id: 63AF7AA15067C05616FDDD88A3A2E8F226F0BC06
  - role: debops.debops.wpcli

    The keyring role will first install the key 63AF7AA15067C05616FDDD88A3A2E8F226F0BC06 into root's gnupg keyring, and then the wpcli role will find the key there.