community.general.pacman_key – Manage pacman’s list of trusted keys

Note

This plugin is part of the community.general collection (version 3.8.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.pacman_key.

New in version 3.2.0: of community.general

Synopsis

  • Add or remove gpg keys from the pacman keyring.

Requirements

The below requirements are needed on the host that executes this module.

  • gpg
  • pacman-key

Parameters

Parameter Choices/Defaults Comments
data
string
The keyfile contents to add to the keyring.
Must be of PGP PUBLIC KEY BLOCK type.
file
path
The path to a keyfile on the remote server to add to the keyring.
Remote file must be of PGP PUBLIC KEY BLOCK type.
force_update
boolean
    Choices:
  • no
  • yes
This forces the key to be updated if it already exists in the keyring.
id
string / required
The 40 character identifier of the key.
Including this allows check mode to correctly report the changed state.
Do not specify a subkey ID, instead specify the primary key ID.
keyring
path
Default:
"/etc/pacman.d/gnupg"
The full path to the keyring folder on the remote server.
If not specified, module will use pacman's default (/etc/pacman.d/gnupg).
Useful if the remote system requires an alternative gnupg directory.
keyserver
string
The keyserver used to retrieve key from.
state
string
    Choices:
  • absent
  • present
Ensures that the key is present (added) or absent (revoked).
url
string
The URL to retrieve keyfile from.
Remote file must be of PGP PUBLIC KEY BLOCK type.
verify
boolean
    Choices:
  • no
  • yes
Whether or not to verify the keyfile's key ID against specified key ID.

Notes

Note

  • Use full-length key ID (40 characters).
  • Keys will be verified when using data, file, or url unless verify is overridden.
  • Keys will be locally signed after being imported into the keyring.
  • If the key ID exists in the keyring, the key will not be added unless force_update is specified.
  • data, file, url, and keyserver are mutually exclusive.
  • Supports check_mode.

Examples

- name: Import a key via local file
  community.general.pacman_key:
    data: "{{ lookup('file', 'keyfile.asc') }}"
    state: present

- name: Import a key via remote file
  community.general.pacman_key:
    file: /tmp/keyfile.asc
    state: present

- name: Import a key via url
  community.general.pacman_key:
    id: 01234567890ABCDE01234567890ABCDE12345678
    url: https://domain.tld/keys/keyfile.asc
    state: present

- name: Import a key via keyserver
  community.general.pacman_key:
    id: 01234567890ABCDE01234567890ABCDE12345678
    keyserver: keyserver.domain.tld

- name: Import a key into an alternative keyring
  community.general.pacman_key:
    id: 01234567890ABCDE01234567890ABCDE12345678
    file: /tmp/keyfile.asc
    keyring: /etc/pacman.d/gnupg-alternative

- name: Remove a key from the keyring
  community.general.pacman_key:
    id: 01234567890ABCDE01234567890ABCDE12345678
    state: absent

Authors

  • George Rawlinson (@grawlinson)

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/general/pacman_key_module.html