VhFddlmZdZdZdZddlZddlmZddlm Z ddl m Z dd l m Z dd lmZdadadZd Zd Zd ZdZddZdZdZdZddZdZdZddZdZdZ e!dk(re yy)) annotationsa --- module: apt_key author: - Jayson Vantuyl (@jvantuyl) version_added: "1.0" short_description: Add or remove an apt key description: - Add or remove an I(apt) key, optionally downloading it. extends_documentation_fragment: action_common_attributes attributes: check_mode: support: full diff_mode: support: none platform: platforms: debian notes: - The C(apt-key) command used by this module has been deprecated. See the L(Debian wiki,https://wiki.debian.org/DebianRepository/UseThirdParty) for details. This module is kept for backwards compatibility for systems that still use C(apt-key) as the main way to manage apt repository keys. - As a sanity check, downloaded key id must match the one specified. - "Use full fingerprint (40 characters) key ids to avoid key collisions. To generate a full-fingerprint imported key: C(apt-key adv --list-public-keys --with-fingerprint --with-colons)." - If you specify both the key O(id) and the O(url) with O(state=present), the task can verify or add the key as needed. - Adding a new key requires an apt cache update (e.g. using the M(ansible.builtin.apt) module's C(update_cache) option). requirements: - gpg seealso: - module: ansible.builtin.deb822_repository options: id: description: - The identifier of the key. - Including this allows check mode to correctly report the changed state. - If specifying a subkey's id be aware that apt-key does not understand how to remove keys via a subkey id. Specify the primary key's id instead. - This parameter is required when O(state) is set to V(absent). type: str data: description: - The keyfile contents to add to the keyring. type: str file: description: - The path to a keyfile on the remote server to add to the keyring. type: path keyring: description: - The full path to specific keyring file in C(/etc/apt/trusted.gpg.d/). type: path version_added: "1.3" url: description: - The URL to retrieve key from. type: str keyserver: description: - The keyserver to retrieve key from. type: str version_added: "1.6" state: description: - Ensures that the key is present (added) or absent (revoked). type: str choices: [ absent, present ] default: present validate_certs: description: - If V(false), SSL certificates for the target url will not be validated. This should only be used on personally controlled sites using self-signed certificates. type: bool default: 'yes' a* - name: One way to avoid apt_key once it is removed from your distro, armored keys should use .asc extension, binary should use .gpg block: - name: somerepo | no apt key ansible.builtin.get_url: url: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x36a1d7869245c8950f966e92d8576a8ba88d21e9 dest: /etc/apt/keyrings/myrepo.asc checksum: sha256:bb42f0db45d46bab5f9ec619e1a47360b94c27142e57aa71f7050d08672309e0 - name: somerepo | apt source ansible.builtin.apt_repository: repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/myrepo.asc] https://download.example.com/linux/ubuntu {{ ansible_distribution_release }} stable" state: present - name: Add an apt key by id from a keyserver ansible.builtin.apt_key: keyserver: keyserver.ubuntu.com id: 36A1D7869245C8950F966E92D8576A8BA88D21E9 - name: Add an Apt signing key, uses whichever key is at the URL ansible.builtin.apt_key: url: https://ftp-master.debian.org/keys/archive-key-6.0.asc state: present - name: Add an Apt signing key, will not download if present ansible.builtin.apt_key: id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA url: https://ftp-master.debian.org/keys/archive-key-6.0.asc state: present - name: Remove a Apt specific signing key, leading 0x is valid ansible.builtin.apt_key: id: 0x9FED2BCBDCD29CDF762678CBAED4B06F473041FA state: absent # Use armored file since utf-8 string is expected. Must be of "PGP PUBLIC KEY BLOCK" type. - name: Add a key from a file on the Ansible server ansible.builtin.apt_key: data: "{{ lookup('ansible.builtin.file', 'apt.asc') }}" state: present - name: Add an Apt signing key to a specific keyring file ansible.builtin.apt_key: id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA url: https://ftp-master.debian.org/keys/archive-key-6.0.asc keyring: /etc/apt/trusted.gpg.d/debian.gpg - name: Add Apt signing key on remote server to keyring ansible.builtin.apt_key: id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA file: /tmp/apt.gpg state: present a after: description: List of apt key ids or fingerprints after any modification returned: on change type: list sample: ["D8576A8BA88D21E9", "3B4FE6ACC0B21F32", "D94AA3F0EFE21092", "871920D1991BC93C"] before: description: List of apt key ids or fingprints before any modifications returned: always type: list sample: ["3B4FE6ACC0B21F32", "D94AA3F0EFE21092", "871920D1991BC93C"] fp: description: Fingerprint of the key to import returned: always type: str sample: "D8576A8BA88D21E9" id: description: key id from source returned: always type: str sample: "36A1D7869245C8950F966E92D8576A8BA88D21E9" key_id: description: calculated key id, it should be same as 'id', but can be different returned: always type: str sample: "36A1D7869245C8950F966E92D8576A8BA88D21E9" short_id: description: calculated short key id returned: always type: str sample: "A88D21E9" N) format_exc) to_native) AnsibleModule)get_best_parsable_locale) fetch_urlcttds#t|}t||||t_tjS)Nresult)LANGLC_ALL LC_MESSAGESLANGUAGE)hasattrlang_envrdictr )modulelocales G/home/dcms/DCMS/lib/python3.12/site-packages/ansible/modules/apt_key.pyrrs3 8X &)&1F6vX^_ ??cP|jdda|jdday)Nzapt-keyT)requiredgpg) get_bin_path apt_key_bingpg_bin)rs rfind_needed_binariesrs.%%i$%?K!!%$!7GrcndD]%}tjj|}|s%nr|d|zz }|S)N) HTTPS_PROXY https_proxy HTTP_PROXY http_proxyz" --keyserver-options http-proxy=%s)osenvironget)cmdenvvarproxys radd_http_proxyr(sCL v&     3e;; Jrctt|d|j}|jdr|dd}t |}|dk7r|dk7r|dkr t d|dd}|}|dkDr|dd}|||fS) avalidate the key_id and break it into segments :arg key_id: The key_id as supplied by the user. A valid key_id will be 8, 16, or more hexadecimal chars with an optional leading ``0x``. :returns: The portion of key_id suitable for apt-key del, the portion suitable for comparisons with --list-public-keys, and the portion that can be used with --recv-key. If key_id is long enough, these will be the last 8 characters of key_id, the last 16 characters, and all of key_id. If key_id is not long enough, some of the values will be the same. * apt-key del <= 1.10 has a bug with key_id != 8 chars * apt-key adv --list-public-keys prints 16 chars * apt-key adv --recv-key can take more chars 0XNz=key_id must be 8, 16, or 16+ hexadecimal characters in lengthi)intrupper startswithlen ValueError)key_id key_id_len short_key_id fingerprints r parse_key_idr8s$ &2 \\^F VJaJ",*2BXYY"#;LKBSTl f ,,rcg}t|jd}|D]e}|jds|jds&d|vs+ |j}|d}|jd\}}|j |g|r |r t |}|S#ttf$r1 |jd}|d}n#ttf$rYYwxYwYcwxYw) N pubsubexpired/:)rsplitr1 IndexErrorr3appendshorten_key_ids) output short_formatfoundlineslinetokenscodelen_type real_codes rparse_output_for_keysrOs E f  # #D )E$ OOE "dooe&<)SWBW ay(, 3%9 LL #$" & L + !ZZ_F &q I"J/  s6 )BC(B?>C?CCCCCc| td|d}n dtz}|j|\}}}|dk7r|jd||||t||S)N --keyring z+ adv --list-public-keys --keyid-format=longz-%s adv --list-public-keys --keyid-format=longrzUnable to list public keysmsgr%rcstdoutstderr)r run_command fail_jsonrO)rkeyringrGr%rTouterrs rall_keysr\scNY[bc= K'',NRc Qw9srRU^ab l 33rc@g}|D]}|j|dd|S)z| Takes a list of key ids, and converts them to the 'short' format, by reducing them to their last 8 characters. r.N)rD) key_id_listshortkeys rrErE$s/ E SX Lrc t||d\}}|ddk7r|jd|d|d|jS#t$r!|jd |zt YywxYw) NT) use_proxystatuszFailed to download key at z: rSrSz!error getting key id from url: %s)rS traceback)rrXread Exceptionr)rurlrspinfos r download_keyrl/s{`fcT: T >S   sDQVK!X  Yxxz `@3FR\R^_`sAA'A0/A0c t|}|jddk\}d}td|g}|j|t ||r|n|| \}}} |dk7r|j d|dn|z|| t |} | r| d}|S)Nz$-----BEGIN PGP PUBLIC KEY BLOCK-----rz --with-colons)environ_updatedata binary_datazUnable to extract key from '%s'z inline data)rSrUrV)rfindrrWrrXrO) rfilenamero native_data is_armoredr`r%rTrZr[keyss rget_key_id_from_filerv<sD/K!!"HIQNJ C OX .C''HVSWSc-iqr{~HK L  %D 1g Jrct|d|S)N-)rv)rros rget_key_id_from_dataryQs T 22rc||rtd|d|}n td|}t|}|d|}tdD])}|j|t |\}}}|dk(s)ydk(r*dvr&d |d |} |j || t | yd |d |} |j || t ||y)NrQz adv --no-tty --keyserver z --recv )rnrr,znot found on keyserverzKey z not found on keyserver )r%rSforced_environmentzError fetching key z from keyserver: )r%rSr|rTrUrVT)rr(rangerWrrX) rrY keyserverr4r%retryrTrZr[rSs r import_keyrUs?JGU^_2=yI  C  (Cq s++C@P+QS# 7   s 7/368> JC   #(6BR  S AG RC   #(6BRWYbenq  r rc@|L|r td|d}n dtz}|j||d\}}}|dk7r|jd||||y|rtd|d |}n td |}|j|\}}}|dk7r|jd |z||||| y) NrQz add -z%s add -T)rorprz$Unable to add a key from binary datarRz add z Unable to add a key from file %s)rSr%rTkeyfilerUrVrrWrX)rrrYror%rTrZr[s radd_keyrqs  -8'BC{*C++Cd+MS# 7   :  ,  .97GLC!,g6C++C0S# 7   6'B   rc|rtd|d|}n td|}|j|\}}}|dk7r|jd|z|||||y)NrQz del rz!Unable to remove a key with id %s)rSr%rTr4rUrVTr)rr4rYr%rTrZr[s r remove_keyrsg*5wG(&1'',NRc Qw3v>   rctttdtdtdtdtdtddtdtddddg  dd }|jd }|jd}|jd}|jd}|jd}|jd}|jd}d}d} d} d} t|ddi} |s?|r|j d|r t ||}|r t ||}n|r t||}|| d < t|\} } }| | d<| | d<|| d<| s|jd(ddi| t|dk(rd}t|||x| d <} g}|dk(r|r| | vs|s1| | vr,d| d<|js|rt|||nS|rt||||nB|rt|d!||n1|rt ||}t|d!||n|jd(dd"i| t|||x| d#<}|r| |vs|s| |vr|jd(d| d$zi| n|dk(r||s|jd(dd%i| | | vrbd| d<|jsQ| ;t|| |r.t|||x| d#<}| |vr,|jd(d| d&zi| n|jd(dd'i| |j d(i| y#t$r|jd(ddi| YwxYw))Nstr)typepathboolT)rdefaultpresentabsent)rrchoices)idrirofilerYvalidate_certsr~state))rorr~ri) argument_specsupports_check_modemutually_exclusiverrirorrYrr~FzYapt-key did not return an error, but %s (check that the id is correct and *not* a subkey)changedz(Missing key_id, required with keyserver.reshort_idfpr4rSzInvalid key_idz`Unable to continue as we could not extract a valid fingerprint to compare against existing keys.r-beforerxz(No key to add ... how did i get here?!?!afterzfailed to add the keyzkey is required to remove a keyzthe key was not removedzerror removing key_id)rrparamsrrXrlrvryr8r3r2r\ check_moderrr exit_json)rr4rirorrrYrr~rGr6r7error_no_errorrrukeys2s rmainrs % 5!6"f%VT:&E9x>ST  !B F ]]4 F -- C == D}}V$HmmI&G MM' "E k*ILLKpN  EA     !K  L ,D )&(;F )&$7FAdG4,8,@) k6$* $(   F FDE F 6{a "&'<@@AhK$ E  \5|P[cgPgAiL$$FHg6vw 6BFC$7'4DFC$7$F$$Y)SYWXY&.fg|%LL' U \%> YdlqYq$F$$W:Q)QWUVW (  F   H!B Ha H $ AiL$$ + 6W-W][\]$F$$F)@FAFFqi 43-334s<K&&LL__main__)F)N)" __future__r DOCUMENTATIONEXAMPLESRETURNr"rfr+ansible.module_utils.common.text.convertersransible.module_utils.basicr"ansible.module_utils.common.localeransible.module_utils.urlsrrrrrrr(r8rOr\rErlrvryrrrr__name__rrrrs#G R4 l B !A4G/  8 "-J6 4 `*38B$l^ zFr