From 3168a5e1ca1edce10e0b85036b5275566253f9b6 Mon Sep 17 00:00:00 2001 From: Vasiliy Levykin Date: Fri, 23 Jan 2026 15:36:33 +0000 Subject: [PATCH 1/3] Restrict APT signing keys only to the corresponding repos. https://bugtracker.codiodev.com/issue/codio-17403 --- openjdk-11/playbook.yaml | 9 +++++---- openjdk-17/playbook.yaml | 9 +++++---- openjdk-21/playbook.yaml | 9 +++++---- openjdk-25/playbook.yaml | 9 +++++---- openjdk-8/playbook.yaml | 9 +++++---- r-studio/playbook.yaml | 4 ++-- 6 files changed, 27 insertions(+), 22 deletions(-) diff --git a/openjdk-11/playbook.yaml b/openjdk-11/playbook.yaml index fba808a..37b457f 100644 --- a/openjdk-11/playbook.yaml +++ b/openjdk-11/playbook.yaml @@ -3,14 +3,15 @@ become: true become_user: root tasks: - - name: Ensure Eclipse Adoptium apt repository key is present - apt_key: + - name: Eclipse Adoptium key + ansible.builtin.get_url: url: https://packages.adoptium.net/artifactory/api/gpg/key/public - state: present + dest: /etc/apt/keyrings/adoptium.asc + mode: "0644" - name: Ensure Eclipse Adoptium apt repository is present apt_repository: - repo: 'deb https://packages.adoptium.net/artifactory/deb {{ ansible_distribution_release }} main' + repo: 'deb [signed-by=/etc/apt/keyrings/adoptium.asc] https://packages.adoptium.net/artifactory/deb {{ ansible_distribution_release }} main' filename: openjdk_adoptium update_cache: yes state: present diff --git a/openjdk-17/playbook.yaml b/openjdk-17/playbook.yaml index e03e385..83d2e29 100644 --- a/openjdk-17/playbook.yaml +++ b/openjdk-17/playbook.yaml @@ -3,14 +3,15 @@ become: true become_user: root tasks: - - name: Ensure Eclipse Adoptium apt repository key is present - apt_key: + - name: Eclipse Adoptium key + ansible.builtin.get_url: url: https://packages.adoptium.net/artifactory/api/gpg/key/public - state: present + dest: /etc/apt/keyrings/adoptium.asc + mode: "0644" - name: Ensure Eclipse Adoptium apt repository is present apt_repository: - repo: 'deb https://packages.adoptium.net/artifactory/deb {{ ansible_distribution_release }} main' + repo: 'deb [signed-by=/etc/apt/keyrings/adoptium.asc] https://packages.adoptium.net/artifactory/deb {{ ansible_distribution_release }} main' filename: openjdk_adoptium update_cache: yes state: present diff --git a/openjdk-21/playbook.yaml b/openjdk-21/playbook.yaml index 1b3173e..a9f8006 100644 --- a/openjdk-21/playbook.yaml +++ b/openjdk-21/playbook.yaml @@ -3,14 +3,15 @@ become: true become_user: root tasks: - - name: Ensure Eclipse Adoptium apt repository key is present - apt_key: + - name: Eclipse Adoptium key + ansible.builtin.get_url: url: https://packages.adoptium.net/artifactory/api/gpg/key/public - state: present + dest: /etc/apt/keyrings/adoptium.asc + mode: "0644" - name: Ensure Eclipse Adoptium apt repository is present apt_repository: - repo: 'deb https://packages.adoptium.net/artifactory/deb {{ ansible_distribution_release }} main' + repo: 'deb [signed-by=/etc/apt/keyrings/adoptium.asc] https://packages.adoptium.net/artifactory/deb {{ ansible_distribution_release }} main' filename: openjdk_adoptium update_cache: yes state: present diff --git a/openjdk-25/playbook.yaml b/openjdk-25/playbook.yaml index c860bb8..1c204f4 100644 --- a/openjdk-25/playbook.yaml +++ b/openjdk-25/playbook.yaml @@ -3,14 +3,15 @@ become: true become_user: root tasks: - - name: Ensure Eclipse Adoptium apt repository key is present - apt_key: + - name: Eclipse Adoptium key + ansible.builtin.get_url: url: https://packages.adoptium.net/artifactory/api/gpg/key/public - state: present + dest: /etc/apt/keyrings/adoptium.asc + mode: "0644" - name: Ensure Eclipse Adoptium apt repository is present apt_repository: - repo: 'deb https://packages.adoptium.net/artifactory/deb {{ ansible_distribution_release }} main' + repo: 'deb [signed-by=/etc/apt/keyrings/adoptium.asc] https://packages.adoptium.net/artifactory/deb {{ ansible_distribution_release }} main' filename: openjdk_adoptium update_cache: yes state: present diff --git a/openjdk-8/playbook.yaml b/openjdk-8/playbook.yaml index 267fe40..b617ddf 100644 --- a/openjdk-8/playbook.yaml +++ b/openjdk-8/playbook.yaml @@ -3,14 +3,15 @@ become: true become_user: root tasks: - - name: Ensure Eclipse Adoptium apt repository key is present - apt_key: + - name: Eclipse Adoptium key + ansible.builtin.get_url: url: https://packages.adoptium.net/artifactory/api/gpg/key/public - state: present + dest: /etc/apt/keyrings/adoptium.asc + mode: "0644" - name: Ensure Eclipse Adoptium apt repository is present apt_repository: - repo: 'deb https://packages.adoptium.net/artifactory/deb {{ ansible_distribution_release }} main' + repo: 'deb [signed-by=/etc/apt/keyrings/adoptium.asc] https://packages.adoptium.net/artifactory/deb {{ ansible_distribution_release }} main' filename: openjdk_adoptium update_cache: yes state: present diff --git a/r-studio/playbook.yaml b/r-studio/playbook.yaml index 5c79887..7c2d8bf 100644 --- a/r-studio/playbook.yaml +++ b/r-studio/playbook.yaml @@ -19,13 +19,13 @@ - name: Cpan apt key ansible.builtin.get_url: url: https://cloud.r-project.org/bin/linux/ubuntu/marutter_pubkey.asc - dest: /etc/apt/trusted.gpg.d/cran_ubuntu_key.asc + dest: /etc/apt/keyrings/cran_ubuntu_key.asc mode: "0644" - name: Add R repository into sources list ansible.builtin.apt_repository: - repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/cran_ubuntu_key.asc] https://cloud.r-project.org/bin/linux/ubuntu {{ ansible_distribution_release }}-cran40/" + repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/cran_ubuntu_key.asc] https://cloud.r-project.org/bin/linux/ubuntu {{ ansible_distribution_release }}-cran40/" state: present - name: Add CRAN Packages From 6f11e982b252133fd6b7834dce89686369643af1 Mon Sep 17 00:00:00 2001 From: Vasiliy Levykin Date: Mon, 26 Jan 2026 17:28:16 +0000 Subject: [PATCH 2/3] Don't use FQCN for compatibility. --- openjdk-11/playbook.yaml | 2 +- openjdk-17/playbook.yaml | 2 +- openjdk-21/playbook.yaml | 2 +- openjdk-25/playbook.yaml | 2 +- openjdk-8/playbook.yaml | 2 +- r-studio/playbook.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/openjdk-11/playbook.yaml b/openjdk-11/playbook.yaml index 37b457f..9d1a571 100644 --- a/openjdk-11/playbook.yaml +++ b/openjdk-11/playbook.yaml @@ -4,7 +4,7 @@ become_user: root tasks: - name: Eclipse Adoptium key - ansible.builtin.get_url: + get_url: url: https://packages.adoptium.net/artifactory/api/gpg/key/public dest: /etc/apt/keyrings/adoptium.asc mode: "0644" diff --git a/openjdk-17/playbook.yaml b/openjdk-17/playbook.yaml index 83d2e29..37ff500 100644 --- a/openjdk-17/playbook.yaml +++ b/openjdk-17/playbook.yaml @@ -4,7 +4,7 @@ become_user: root tasks: - name: Eclipse Adoptium key - ansible.builtin.get_url: + get_url: url: https://packages.adoptium.net/artifactory/api/gpg/key/public dest: /etc/apt/keyrings/adoptium.asc mode: "0644" diff --git a/openjdk-21/playbook.yaml b/openjdk-21/playbook.yaml index a9f8006..53015d5 100644 --- a/openjdk-21/playbook.yaml +++ b/openjdk-21/playbook.yaml @@ -4,7 +4,7 @@ become_user: root tasks: - name: Eclipse Adoptium key - ansible.builtin.get_url: + get_url: url: https://packages.adoptium.net/artifactory/api/gpg/key/public dest: /etc/apt/keyrings/adoptium.asc mode: "0644" diff --git a/openjdk-25/playbook.yaml b/openjdk-25/playbook.yaml index 1c204f4..361470f 100644 --- a/openjdk-25/playbook.yaml +++ b/openjdk-25/playbook.yaml @@ -4,7 +4,7 @@ become_user: root tasks: - name: Eclipse Adoptium key - ansible.builtin.get_url: + get_url: url: https://packages.adoptium.net/artifactory/api/gpg/key/public dest: /etc/apt/keyrings/adoptium.asc mode: "0644" diff --git a/openjdk-8/playbook.yaml b/openjdk-8/playbook.yaml index b617ddf..13ce7c8 100644 --- a/openjdk-8/playbook.yaml +++ b/openjdk-8/playbook.yaml @@ -4,7 +4,7 @@ become_user: root tasks: - name: Eclipse Adoptium key - ansible.builtin.get_url: + get_url: url: https://packages.adoptium.net/artifactory/api/gpg/key/public dest: /etc/apt/keyrings/adoptium.asc mode: "0644" diff --git a/r-studio/playbook.yaml b/r-studio/playbook.yaml index 21ec193..e197efa 100644 --- a/r-studio/playbook.yaml +++ b/r-studio/playbook.yaml @@ -4,7 +4,7 @@ become_user: root tasks: - name: Fail if not running on Ubuntu 22.04 - ansible.builtin.fail: + fail: msg: "These tasks should only be run on Ubuntu 22.04" when: ansible_distribution != "Ubuntu" or ansible_distribution_version != "22.04" From fe41d36241e7fd21e7935b828fbff1d8a7900886 Mon Sep 17 00:00:00 2001 From: Vasiliy Levykin Date: Mon, 26 Jan 2026 17:33:12 +0000 Subject: [PATCH 3/3] Create a directory for keyrings. --- openjdk-11/playbook.yaml | 6 ++++++ openjdk-17/playbook.yaml | 6 ++++++ openjdk-21/playbook.yaml | 6 ++++++ openjdk-25/playbook.yaml | 6 ++++++ openjdk-8/playbook.yaml | 6 ++++++ 5 files changed, 30 insertions(+) diff --git a/openjdk-11/playbook.yaml b/openjdk-11/playbook.yaml index 9d1a571..f0b193f 100644 --- a/openjdk-11/playbook.yaml +++ b/openjdk-11/playbook.yaml @@ -3,6 +3,12 @@ become: true become_user: root tasks: + - name: Create a directory for keyrings + file: + path: /etc/apt/keyrings/ + state: directory + mode: '0755' + - name: Eclipse Adoptium key get_url: url: https://packages.adoptium.net/artifactory/api/gpg/key/public diff --git a/openjdk-17/playbook.yaml b/openjdk-17/playbook.yaml index 37ff500..32bad69 100644 --- a/openjdk-17/playbook.yaml +++ b/openjdk-17/playbook.yaml @@ -3,6 +3,12 @@ become: true become_user: root tasks: + - name: Create a directory for keyrings + file: + path: /etc/apt/keyrings/ + state: directory + mode: '0755' + - name: Eclipse Adoptium key get_url: url: https://packages.adoptium.net/artifactory/api/gpg/key/public diff --git a/openjdk-21/playbook.yaml b/openjdk-21/playbook.yaml index 53015d5..9e24f56 100644 --- a/openjdk-21/playbook.yaml +++ b/openjdk-21/playbook.yaml @@ -3,6 +3,12 @@ become: true become_user: root tasks: + - name: Create a directory for keyrings + file: + path: /etc/apt/keyrings/ + state: directory + mode: '0755' + - name: Eclipse Adoptium key get_url: url: https://packages.adoptium.net/artifactory/api/gpg/key/public diff --git a/openjdk-25/playbook.yaml b/openjdk-25/playbook.yaml index 361470f..72f5ec3 100644 --- a/openjdk-25/playbook.yaml +++ b/openjdk-25/playbook.yaml @@ -3,6 +3,12 @@ become: true become_user: root tasks: + - name: Create a directory for keyrings + file: + path: /etc/apt/keyrings/ + state: directory + mode: '0755' + - name: Eclipse Adoptium key get_url: url: https://packages.adoptium.net/artifactory/api/gpg/key/public diff --git a/openjdk-8/playbook.yaml b/openjdk-8/playbook.yaml index 13ce7c8..94efb72 100644 --- a/openjdk-8/playbook.yaml +++ b/openjdk-8/playbook.yaml @@ -3,6 +3,12 @@ become: true become_user: root tasks: + - name: Create a directory for keyrings + file: + path: /etc/apt/keyrings/ + state: directory + mode: '0755' + - name: Eclipse Adoptium key get_url: url: https://packages.adoptium.net/artifactory/api/gpg/key/public