Replace apt-key with signed-by in Debian install instructions

[thgoebel]

apt-key is deprecated for security reasons.
See https://stackoverflow.com/a/71384057/11076036

I tested the new instructions to work on both Debian 10 and 11.

I did not build the documentation to check whether it looks right (I'm too lazy to set up the environment). But Github renders it okay.

[gotmax23]

/cc @dericcrago @Ompragash

[thgoebel]

The Ubuntu PPA now supports Debian 12, so I've added that to this PR as well.

[gotmax23]

I'm not sure that b96aa62 makes sense when you're only using the value once, but I don't feel strongly.

I'd like to get an ack from @dericcrago or one of the other maintainers of the PPA to make sure that the key is correct and that everything else is correct before merging.

[gotmax23]

Thanks for your Ansible docs contribution! We talk about Ansible documentation on matrix at #docs:ansible.im and on libera IRC at #ansible-docs if you ever want to join us and chat about the docs! We meet there on Tuesdays (see the Ansible calendar) and welcome additions to our weekly agenda items - scroll down to find the upcoming agenda and add a comment to put something new on that agenda.

[thgoebel]

I'd like to get an ack from @dericcrago or one of the other maintainers of the PPA to make sure that the key is correct [...]

You can find the key fingerprint on launchpad: https://launchpad.net/~ansible/+archive/ubuntu/ansible
It's hidden behind "Technical details about this PPA".
In fact, the keyserver URL is the same as the one for "Signing Key: ..." on the PPA page, with op=index replaced by op=get.

I'm not sure that b96aa62 makes sense when you're only using the value once, but I don't feel strongly.

My motivation for having a variable is laziness. If you are directly copy & pasting from the docs, you have to do sooo many back arrow presses to get your terminal cursor from the end to where UBUNTU_CODENAME is. With the variable you can really copy & paste the two long commands without having to edit them (even though it's one more line/paste). :)

[samccann]

@gotmax23 - is this ready to merge or are you still waiting on a PPA person to review?

[gotmax23]

@samccann, other than this last point, I think this PR is ready merge. I would've liked an ack from one of the PPA maintainers, but I double checked the key and validated the instructions in a Debian container myself.

[dericcrago]

Hi all! Thanks @thgoebel for updating the instructions! This looks good to me. My only suggestion would be to maybe add some context around the wget & echo commands or explain why the instructions don't say apt-key anymore. Maybe something like, "previous instructions referenced apt-key, which has been deprecated, you can find more relevant info here (link to some article(s)), but the essential bits are the following:" I like being able to copy and paste the proper commands, but maybe give people some breadcrumbs if they want to understand a bit more. 🤷

[dericcrago]

one additional comment, the launchpad instructions reference using add-apt-repository 🤷

[thgoebel]

I added references to wget and gpg and explained the commands a bit.

---

one additional comment, the launchpad instructions reference using add-apt-repository

The short answer is: it's not that easy on Debian.

The long answer is:

PPAs are a Ubuntu thing and not really supported on Debian.

Let's try it on Debian 12 (docker run --rm -it debian:12 bash):

0. sudo apt update in the container.

1. add-apt-repository is not preinstalled. So we need to install software-properties-common which includes the add-apt-repository command:

$ sudo apt install software-properties-common
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  appstream ca-certificates dbus dbus-bin dbus-daemon dbus-session-bus-common dbus-system-bus-common
  dbus-user-session dirmngr distro-info-data dmsetup gir1.2-glib-2.0 gir1.2-packagekitglib-1.0 gnupg gnupg-l10n
  gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm iso-codes krb5-locales libapparmor1
  libappstream4 libargon2-1 libassuan0 libbrotli1 libcap2-bin libcryptsetup12 libcurl3-gnutls libdbus-1-3
  libdevmapper1.02.1 libduktape207 libdw1 libelf1 libexpat1 libfdisk1 libgirepository-1.0-1 libglib2.0-0
  libglib2.0-bin libglib2.0-data libgpm2 libgssapi-krb5-2 libgstreamer1.0-0 libicu72 libip4tc2 libjson-c5
  libk5crypto3 libkeyutils1 libkmod2 libkrb5-3 libkrb5support0 libksba8 libldap-2.5-0 libldap-common libncursesw6
  libnghttp2-14 libnpth0 libnsl2 libnss-systemd libpackagekit-glib2-18 libpam-cap libpam-systemd
  libpolkit-agent-1-0 libpolkit-gobject-1-0 libpsl5 libpython3-stdlib libpython3.11-minimal libpython3.11-stdlib
  libreadline8 librtmp1 libsasl2-2 libsasl2-modules libsasl2-modules-db libsqlite3-0 libssh2-1 libssl3
  libstemmer0d libsystemd-shared libsystemd0 libtirpc-common libtirpc3 libudev1 libunwind8 libxml2 libxmlb2
  libyaml-0-2 lsb-release media-types openssl packagekit packagekit-tools pinentry-curses polkitd publicsuffix
  python-apt-common python3 python3-apt python3-blinker python3-cffi-backend python3-cryptography python3-dbus
  python3-distro python3-gi python3-httplib2 python3-jwt python3-lazr.restfulclient python3-lazr.uri
  python3-minimal python3-oauthlib python3-pkg-resources python3-pyparsing python3-six python3-software-properties
  python3-wadllib python3.11 python3.11-minimal readline-common sgml-base shared-mime-info systemd systemd-sysv
  systemd-timesyncd xdg-user-dirs xml-core
Suggested packages:
  apt-config-icons pinentry-gnome3 tor parcimonie xloadimage scdaemon isoquery low-memory-monitor gpm krb5-doc
  krb5-user gstreamer1.0-tools libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal libsasl2-modules-ldap
  libsasl2-modules-otp libsasl2-modules-sql pinentry-doc polkitd-pkla python3-doc python3-tk python3-venv
  python-apt-doc python-blinker-doc python-cryptography-doc python3-cryptography-vectors python-dbus-doc
  python3-crypto python3-setuptools python-pyparsing-doc python3.11-venv python3.11-doc binutils binfmt-support
  readline-doc sgml-base-doc systemd-container systemd-homed systemd-userdbd systemd-boot systemd-resolved
  libfido2-1 libqrencode4 libtss2-esys-3.0.2-0 libtss2-mu0 libtss2-rc0 debhelper
The following NEW packages will be installed:
  appstream ca-certificates dbus dbus-bin dbus-daemon dbus-session-bus-common dbus-system-bus-common
  dbus-user-session dirmngr distro-info-data dmsetup gir1.2-glib-2.0 gir1.2-packagekitglib-1.0 gnupg gnupg-l10n
  gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm iso-codes krb5-locales libapparmor1
  libappstream4 libargon2-1 libassuan0 libbrotli1 libcap2-bin libcryptsetup12 libcurl3-gnutls libdbus-1-3
  libdevmapper1.02.1 libduktape207 libdw1 libelf1 libexpat1 libfdisk1 libgirepository-1.0-1 libglib2.0-0
  libglib2.0-bin libglib2.0-data libgpm2 libgssapi-krb5-2 libgstreamer1.0-0 libicu72 libip4tc2 libjson-c5
  libk5crypto3 libkeyutils1 libkmod2 libkrb5-3 libkrb5support0 libksba8 libldap-2.5-0 libldap-common libncursesw6
  libnghttp2-14 libnpth0 libnsl2 libnss-systemd libpackagekit-glib2-18 libpam-cap libpam-systemd
  libpolkit-agent-1-0 libpolkit-gobject-1-0 libpsl5 libpython3-stdlib libpython3.11-minimal libpython3.11-stdlib
  libreadline8 librtmp1 libsasl2-2 libsasl2-modules libsasl2-modules-db libsqlite3-0 libssh2-1 libssl3
  libstemmer0d libsystemd-shared libtirpc-common libtirpc3 libunwind8 libxml2 libxmlb2 libyaml-0-2 lsb-release
  media-types openssl packagekit packagekit-tools pinentry-curses polkitd publicsuffix python-apt-common python3
  python3-apt python3-blinker python3-cffi-backend python3-cryptography python3-dbus python3-distro python3-gi
  python3-httplib2 python3-jwt python3-lazr.restfulclient python3-lazr.uri python3-minimal python3-oauthlib
  python3-pkg-resources python3-pyparsing python3-six python3-software-properties python3-wadllib python3.11
  python3.11-minimal readline-common sgml-base shared-mime-info software-properties-common systemd systemd-sysv
  systemd-timesyncd xdg-user-dirs xml-core
The following packages will be upgraded:
  libsystemd0 libudev1
2 upgraded, 126 newly installed, 0 to remove and 3 not upgraded.
Need to get 50.2 MB of archives.
After this operation, 183 MB of additional disk space will be used.
Do you want to continue? [Y/n]
<--snipped-->

2. Note that this already pulled in gpg.

3. No we can try sudo add-apt-repository ppa:ansible/ansible. But we run into this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029766

4. Let's ignore Julian's points and just install python3-launchpadlib:

$ sudo apt install python3-launchpadlib
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  adwaita-icon-theme at-spi2-common at-spi2-core dconf-gsettings-backend dconf-service fontconfig
  fontconfig-config fonts-dejavu-core gcr gnome-keyring gnome-keyring-pkcs11 gsettings-desktop-schemas
  gtk-update-icon-cache hicolor-icon-theme libatk-bridge2.0-0 libatk1.0-0 libatspi2.0-0 libavahi-client3
  libavahi-common-data libavahi-common3 libbsd0 libcairo-gobject2 libcairo2 libcolord2 libcups2 libdatrie1
  libdconf1 libdeflate0 libepoxy0 libfontconfig1 libfreetype6 libfribidi0 libgck-1-0 libgcr-base-3-1 libgcr-ui-3-1
  libgdk-pixbuf-2.0-0 libgdk-pixbuf2.0-bin libgdk-pixbuf2.0-common libgraphite2-3 libgtk-3-0 libgtk-3-bin
  libgtk-3-common libharfbuzz0b libjbig0 libjpeg62-turbo liblcms2-2 liblerc4 libpam-gnome-keyring libpango-1.0-0
  libpangocairo-1.0-0 libpangoft2-1.0-0 libpixman-1-0 libpng16-16 libproc2-0 librsvg2-2 librsvg2-common
  libsecret-1-0 libsecret-common libthai-data libthai0 libtiff6 libwayland-client0 libwayland-cursor0
  libwayland-egl1 libwebp7 libx11-6 libx11-data libxau6 libxcb-render0 libxcb-shm0 libxcb1 libxcomposite1
  libxcursor1 libxdamage1 libxdmcp6 libxext6 libxfixes3 libxi6 libxinerama1 libxkbcommon0 libxrandr2 libxrender1
  libxtst6 p11-kit p11-kit-modules pinentry-gnome3 procps psmisc python3-importlib-metadata python3-jaraco.classes
  python3-jeepney python3-keyring python3-more-itertools python3-secretstorage python3-zipp x11-common xkb-data
Suggested packages:
  colord cups-common gvfs liblcms2-utils librsvg2-bin pinentry-doc gir1.2-secret-1 libkf5wallet-bin
  python3-keyrings.alt python3-testresources python-secretstorage-doc
The following NEW packages will be installed:
  adwaita-icon-theme at-spi2-common at-spi2-core dconf-gsettings-backend dconf-service fontconfig
  fontconfig-config fonts-dejavu-core gcr gnome-keyring gnome-keyring-pkcs11 gsettings-desktop-schemas
  gtk-update-icon-cache hicolor-icon-theme libatk-bridge2.0-0 libatk1.0-0 libatspi2.0-0 libavahi-client3
  libavahi-common-data libavahi-common3 libbsd0 libcairo-gobject2 libcairo2 libcolord2 libcups2 libdatrie1
  libdconf1 libdeflate0 libepoxy0 libfontconfig1 libfreetype6 libfribidi0 libgck-1-0 libgcr-base-3-1 libgcr-ui-3-1
  libgdk-pixbuf-2.0-0 libgdk-pixbuf2.0-bin libgdk-pixbuf2.0-common libgraphite2-3 libgtk-3-0 libgtk-3-bin
  libgtk-3-common libharfbuzz0b libjbig0 libjpeg62-turbo liblcms2-2 liblerc4 libpam-gnome-keyring libpango-1.0-0
  libpangocairo-1.0-0 libpangoft2-1.0-0 libpixman-1-0 libpng16-16 libproc2-0 librsvg2-2 librsvg2-common
  libsecret-1-0 libsecret-common libthai-data libthai0 libtiff6 libwayland-client0 libwayland-cursor0
  libwayland-egl1 libwebp7 libx11-6 libx11-data libxau6 libxcb-render0 libxcb-shm0 libxcb1 libxcomposite1
  libxcursor1 libxdamage1 libxdmcp6 libxext6 libxfixes3 libxi6 libxinerama1 libxkbcommon0 libxrandr2 libxrender1
  libxtst6 p11-kit p11-kit-modules pinentry-gnome3 procps psmisc python3-importlib-metadata python3-jaraco.classes
  python3-jeepney python3-keyring python3-launchpadlib python3-more-itertools python3-secretstorage python3-zipp
  x11-common xkb-data
0 upgraded, 98 newly installed, 0 to remove and 3 not upgraded.
Need to get 32.5 MB of archives.
After this operation, 133 MB of additional disk space will be used.
Do you want to continue? [Y/n]
<--snipped-->

5. Let's try add-apt-repository again:

$ sudo add-apt-repository ppa:ansible/ansible
Repository: 'deb https://ppa.launchpadcontent.net/ansible/ansible/ubuntu/ bookworm main'
Description:
Ansible is a radically simple IT automation platform that makes your applications and systems easier to deploy. Avoid writing scripts or custom code to deploy and update your applications— automate in a language that approaches plain English, using SSH, with no agents to install on remote systems.

http://ansible.com/

If you face any issues while installing Ansible PPA, file an issue here:
https://github.com/ansible-community/ppa/issues
More info: https://launchpad.net/~ansible/+archive/ubuntu/ansible
Adding repository.
Press [ENTER] to continue or Ctrl-c to cancel.
Adding deb entry to /etc/apt/sources.list.d/ansible-ubuntu-ansible-bookworm.list
Adding disabled deb-src entry to /etc/apt/sources.list.d/ansible-ubuntu-ansible-bookworm.list
Adding key to /etc/apt/trusted.gpg.d/ansible-ubuntu-ansible.gpg with fingerprint 6125E2A8C77F2818FB7BD15B93C4A3FD7BB9C367
Hit:1 http://deb.debian.org/debian bookworm InRelease
Hit:2 http://deb.debian.org/debian bookworm-updates InRelease
Hit:3 http://deb.debian.org/debian-security bookworm-security InRelease          
Ign:4 https://ppa.launchpadcontent.net/ansible/ansible/ubuntu bookworm InRelease 
Err:5 https://ppa.launchpadcontent.net/ansible/ansible/ubuntu bookworm Release
  404  Not Found [IP: 185.125.190.52 443]
Reading package lists... Done                              
E: The repository 'https://ppa.launchpadcontent.net/ansible/ansible/ubuntu bookworm Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

So now we have:

• installed a ton of packages,
• used 183 MB + 133 MB extra disk space,
• put a key into /etc/apt/trusted.gpg.d/ansible-ubuntu-ansible.gpg which is a security issue because now this key can sign packages for every repo and not just for Ansible.

That's a lot, considering we need really only need to download 1 file and add 1 line to another file.

And it still doesn't work! Because /etc/apt/sources.list.d/ansible-ubuntu-ansible-bookworm.list contains this line:
deb https://ppa.launchpadcontent.net/ansible/ansible/ubuntu bookworm Release

So now we need to manually edit this file to change bookworm to jammy.

Conclusion

That was a lot of words, but the conclusion is:

PPAs are made for Debian not for Ubuntu. If you're lucky the PPA depends only on packages that Debian also ships (and in the right versions), and you just need to manually set the correct sources.list string.

But the ecosystem (add-apt-repository) on Debian is not optimised for handling PPAs.

Compared to that, wget and gpg are much smaller. And gpg you will need in any case (it comes as a dependency of software-properties-common).

That's probably also why Signal has basically the same instructions and not add-apt-repository :)

I'll take a look at the updated changes tomorrow

[dericcrago]

that makes sense to me @thgoebel. Thank you for the thorough followup!

[gotmax23]

I apologize for the delay. Now that we've agreed on the contents, I went through and made some formatting/grammar suggestions. Thanks!

[thgoebel]

Done. Thank you for your suggestions!

[samccann]

Thanks @thgoebel for the Ansible docs fix and welcome to the Ansible project!
And thanks @gotmax23 for the tech review.