community.general.pacman_key module – Manage pacman’s list of trusted keys

Note

This module is part of the community.general collection (version 12.0.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: community.general.pacman_key.

New in community.general 3.2.0

Synopsis

  • Add or remove gpg keys from the pacman keyring.

Requirements

The below requirements are needed on the host that executes this module.

  • gpg

  • pacman-key

Parameters

Parameter

Comments

data

string

The keyfile contents to add to the keyring.

Must be of PGP PUBLIC KEY BLOCK type.

ensure_trusted

boolean

added in community.general 11.0.0

Ensure that the key is trusted (signed by the Pacman machine key and not expired).

Choices:

  • false ← (default)

  • true

file

path

The path to a keyfile on the remote server to add to the keyring.

Remote file must be of PGP PUBLIC KEY BLOCK type.

force_update

boolean

This forces the key to be updated if it already exists in the keyring.

Choices:

  • false ← (default)

  • true

id

string / required

The 40 character identifier of the key.

Including this allows check mode to correctly report the changed state.

Do not specify a subkey ID, instead specify the primary key ID.

keyring

path

The full path to the keyring folder on the remote server.

If not specified, module uses pacman’s default (/etc/pacman.d/gnupg).

Useful if the remote system requires an alternative gnupg directory.

Default: "/etc/pacman.d/gnupg"

keyserver

string

The keyserver used to retrieve key from.

state

string

Ensures that the key is present (added) or absent (revoked).

Choices:

  • "absent"

  • "present" ← (default)

url

string

The URL to retrieve keyfile from.

Remote file must be of PGP PUBLIC KEY BLOCK type.

verify

boolean

Whether or not to verify the keyfile’s key ID against specified key ID.

Choices:

  • false

  • true ← (default)

Attributes

Attribute

Support

Description

check_mode

Support: full

Can run in check_mode and return changed status prediction without modifying target.

diff_mode

Support: none

Returns details on what has changed (or possibly needs changing in check_mode), when in diff mode.

Notes

Note

  • Use full-length key ID (40 characters).

  • Keys are verified when using data, file, or url unless verify is overridden.

  • Keys are locally signed after being imported into the keyring.

  • If the key ID exists in the keyring, the key is not added unless force_update is specified.

  • data, file, url, and keyserver are mutually exclusive.

Examples

- name: Import a key via local file
  community.general.pacman_key:
    id: 01234567890ABCDE01234567890ABCDE12345678
    data: "{{ lookup('file', 'keyfile.asc') }}"
    state: present

- name: Import a key via remote file
  community.general.pacman_key:
    id: 01234567890ABCDE01234567890ABCDE12345678
    file: /tmp/keyfile.asc
    state: present

- name: Import a key via url
  community.general.pacman_key:
    id: 01234567890ABCDE01234567890ABCDE12345678
    url: https://domain.tld/keys/keyfile.asc
    state: present

- name: Import a key via keyserver
  community.general.pacman_key:
    id: 01234567890ABCDE01234567890ABCDE12345678
    keyserver: keyserver.domain.tld

- name: Import a key into an alternative keyring
  community.general.pacman_key:
    id: 01234567890ABCDE01234567890ABCDE12345678
    file: /tmp/keyfile.asc
    keyring: /etc/pacman.d/gnupg-alternative

- name: Remove a key from the keyring
  community.general.pacman_key:
    id: 01234567890ABCDE01234567890ABCDE12345678
    state: absent

Authors

  • George Rawlinson (@grawlinson)