Support for making local copy of GPG key

README.md

@@ -18,6 +18,7 @@ This role lets you install packages from third party repositories.
 | `gpg_server` | no | `keyserver.ubuntu.com` | GPG server address to import the key from. Only supported on Debian derivatives. |
 | `gpg_id` | no | `ACCAF35C` | ID of the key hosted on the GPG server. Only supported on Debian derivatives. |
 | `gpg_allow_sha1` | no | `true` | By default, EL 9 and up won't allow importing RPM keys with SHA1 algo. Setting this to `true` temporarily changes the policy to allow SHA1 keys. Only supported on Red Hat derivatives. |
+| `gpg_dest` | no | `/etc/pki/rpm-gpg/PGDG-RPM-GPG-KEY` | If specified, copy the specified GPG key to this path. May be needed with certain repos that explicitly use these keys in their repo files. |
 | `ldconfig` | no | `true` | If `true`, ldconfig is ran after the installation finishes. Useful when installing libraries that extend `LD_LIBRARY_PATH`. |
 | `repo_overwrite` | no | `true` | If `true`, the repo file is deployed once more after package installation. Useful when the package alters the repo file during installation and thus would break idempotency, e.g. Google Chrome. |
 | `conflict` | no | `clamav` | Avoid installing `package` on systems where this package is installed. |
@@ -46,6 +47,7 @@ You must specify either:
   vars:
     name: 'Vulkan SDK'
     gpg_url: 'https://packages.lunarg.com/lunarg-signing-key-pub.asc'
+    gpg_dest: '/etc/apt/trusted.gpg.d/lunarg.asc'
     repo_file: 'lunarg-vulkan'
     package: 'vulkan-sdk'
     ldconfig: true

tasks/gpg_el.yml

@@ -11,13 +11,22 @@
     state: present
   when: gpg_url is defined
 
+- name: "Make local copy of {{ name }} GPG key"
+  get_url:
+    url: "{{ gpg_url }}"
+    dest: "{{ eff_gpg_dest }}"
+    owner: root
+    group: root
+    mode: '0644'
+  when: gpg_url is defined and gpg_dest is defined
+
 # https://github.com/ansible/ansible/issues/10515
 # Even with workarounds, it gives 'Not a valid key' errors, so copy first.
 # Use 'package' for destination filename, as that should be unique.
 - name: "Copy {{ name }} GPG key"
   copy:
     src: "{{ gpg_file }}"
-    dest: "/etc/pki/rpm-gpg/{{ package }}"
+    dest: "{{ eff_gpg_dest }}"
     owner: root
     group: root
     mode: '0644'
@@ -32,7 +41,7 @@
 
 - name: "Import {{ name }} GPG key"
   rpm_key:
-    key: "/etc/pki/rpm-gpg/{{ package }}"
+    key: "{{ eff_gpg_dest }}"
     state: present
   when: gpg_file is defined
 

tasks/gpg_ubuntu.yml

@@ -7,13 +7,31 @@
 
 - name: "Import {{ name }} GPG key"
   apt_key:
-    data: "{{ lookup('file', '{{ gpg_file }}') }}"
+    keyserver: "{{ gpg_server }}"
+    id: "{{ gpg_id }}"
     state: present
-  when: gpg_file is defined
+  when: (gpg_server is defined) and (gpg_id is defined)
+
+- name: "Make local copy of {{ name }} GPG key"
+  get_url:
+    url: "{% if gpg_url is defined %}{{ gpg_url }}{% else %}https://{{ gpg_server }}/pks/lookup?op=get&search=0x{{ gpg_id }}{% endif %}"
+    dest: "{{ eff_gpg_dest }}"
+    owner: root
+    group: root
+    mode: '0644'
+  when: ((gpg_url is defined) or (gpg_server is defined and gpg_id is defined)) and gpg_dest is defined
 
 - name: "Import {{ name }} GPG key"
   apt_key:
-    keyserver: "{{ gpg_server }}"
-    id: "{{ gpg_id }}"
+    data: "{{ lookup('file', '{{ gpg_file }}') }}"
     state: present
-  when: (gpg_server is defined) and (gpg_id is defined)
+  when: gpg_file is defined
+
+- name: "Copy {{ name }} GPG key"
+  copy:
+    src: "{{ gpg_file }}"
+    dest: "{{ eff_gpg_dest }}"
+    owner: root
+    group: root
+    mode: '0644'
+  when: gpg_file is defined and gpg_dest is defined

vars/main.yml

@@ -3,3 +3,5 @@ yumlock_del_str: 'versionlock delete: no matches'
 yumlock_add_str: 'versionlock added: 0'
 dnflock_del_str: "Deleting versionlock for: {{ package }}"
 dnflock_add_str: "Adding versionlock on: {{ package }}"
+
+eff_gpg_dest: "{% if gpg_dest is defined and gpg_dest | string | length %}{{ gpg_dest }}{% else %}{% if ansible_os_family == 'RedHat' %}/etc/pki/rpm-gpg/{% else %}/etc/apt/trusted.gpg.d/{% endif %}{{ package }}{% endif %}"