Check key and sub-key fingerprints

ad608b03 · Chris Croome · 1c68259c · ad608b03 · ad608b03
Commit ad608b03 authored 2 years ago by Chris Croome
--- a/tasks/docker.yml
+++ b/tasks/docker.yml
@@ -82,7 +82,7 @@
        group: root

    - name: Docker gpg key check command
-      ansible.builtin.command: gpg --with-colons --with-fingerprint --with-subkey-fingerprint /etc/apt/keyrings/docker.asc
+      ansible.builtin.command: gpg --with-colons --show-keys /etc/apt/keyrings/docker.asc
      check_mode: false
      changed_when: false
      register: docker_gpg
@@ -90,7 +90,12 @@
    - name: Docker gpg key checked
      ansible.builtin.assert:
        that:
-          - docker_gpg_fingerprint in docker_gpg.stdout
+          - fpr in docker_gpg.stdout
+      loop: "{{ docker_gpg_fingerprints }}"
+      loop_control:
+        extended: true
+        loop_var: fpr
+        label: "{{ ansible_loop.index }}"

    - name: Docker apt repo available
      ansible.builtin.template:

--- a/vars/main.yml
+++ b/vars/main.yml
 ---
+# You can get the sha256 checksum using the following command:
+# wget -q https://download.docker.com/linux/debian/gpg -O - | sha256sum - | awk '{ print $1 }'
 docker_gpg_checksum: "sha256:1500c1f56fa9e26b9b8f42452a553675796ade0807cdce11975eb98170b3a570"
-docker_gpg_fingerprint: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
+
+# You can get the gpg fingerprints using the following command:
+# wget -q https://download.docker.com/linux/debian/gpg -O - | gpg --with-colons --show-keys - | grep ^fpr | sed 's/^fpr//' | sed 's/://g' | sed 's/^/  - /'
+docker_gpg_fingerprints:
+-  9DC858229FC7DD38854AE2D88D81803C0EBFCD88
+-  D3306A018370199E527AE7997EA0A9C3F273FCD8
+
 docker_pkg:
  - containerd.io
  - docker-ce