From 71fc9ec3936d42bb162ae8751881800575871d62 Mon Sep 17 00:00:00 2001
From: Maxim Masiutin <maxim@masiutin.com>
Date: Mon, 17 May 2021 13:35:02 +0300
Subject: [bp-2.11]: apt_key  - Binary GnuPG keys downloaded via URL were
 corrupted (#74522)

* Binary GnuPG keys downloaded via URLs by the 'ansible.builtin.apt_key' module were corrupted so 'gpg' could not import them (https://github.com/ansible/ansible/issues/74424)
(cherry picked from commit 03750708710b2e44a7ffa068c65f969ae4ed51f1)
(cherry picked from commit 4cc80ef9c95e6eaf8d21415778dd984adcf088f9)
---
 changelogs/fragments/74474-apt_key-gpg-binary-import.yaml |  2 ++
 lib/ansible/modules/apt_key.py                            |  5 ++++-
 test/integration/targets/apt_key/tasks/apt_key_binary.yml | 12 ++++++++++++
 test/integration/targets/apt_key/tasks/main.yml           |  3 +++
 4 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/74474-apt_key-gpg-binary-import.yaml
 create mode 100644 test/integration/targets/apt_key/tasks/apt_key_binary.yml

diff --git a/changelogs/fragments/74474-apt_key-gpg-binary-import.yaml b/changelogs/fragments/74474-apt_key-gpg-binary-import.yaml
new file mode 100644
index 0000000000..e6568efdbe
--- /dev/null
+++ b/changelogs/fragments/74474-apt_key-gpg-binary-import.yaml
@@ -0,0 +1,2 @@
+bugfixes:
+  - apt_key - Binary GnuPG keys downloaded via URLs were corrupted so GnuPG could not import them (https://github.com/ansible/ansible/issues/74424).
diff --git a/lib/ansible/modules/apt_key.py b/lib/ansible/modules/apt_key.py
index 804d0d3ae5..4a8e968c3a 100644
--- a/lib/ansible/modules/apt_key.py
+++ b/lib/ansible/modules/apt_key.py
@@ -283,12 +283,15 @@ def download_key(module, url):
 
 def get_key_id_from_file(module, filename, data=None):
 
+    native_data = to_native(data)
+    is_armored = native_data.find("-----BEGIN PGP PUBLIC KEY BLOCK-----") >= 0
+
     global lang_env
     key = None
 
     cmd = [gpg_bin, '--with-colons', filename]
 
-    (rc, out, err) = module.run_command(cmd, environ_update=lang_env, data=to_native(data))
+    (rc, out, err) = module.run_command(cmd, environ_update=lang_env, data=(native_data if is_armored else data), binary_data=not is_armored)
     if rc != 0:
         module.fail_json(msg="Unable to extract key from '%s'" % ('inline data' if data is not None else filename), stdout=out, stderr=err)
 
diff --git a/test/integration/targets/apt_key/tasks/apt_key_binary.yml b/test/integration/targets/apt_key/tasks/apt_key_binary.yml
new file mode 100644
index 0000000000..4a351446b0
--- /dev/null
+++ b/test/integration/targets/apt_key/tasks/apt_key_binary.yml
@@ -0,0 +1,12 @@
+---
+
+- name: Ensure import of binary key downloaded using URLs works
+  apt_key:
+    url: https://ansible-ci-files.s3.us-east-1.amazonaws.com/test/integration/targets/apt_key/apt-key-example-binary.gpg
+  register: apt_key_binary_test
+
+- name: Validate the results
+  assert:
+      that:
+          - 'apt_key_binary_test.changed is defined'
+          - 'apt_key_binary_test.changed'
diff --git a/test/integration/targets/apt_key/tasks/main.yml b/test/integration/targets/apt_key/tasks/main.yml
index 9c571f4355..9ef44e456e 100644
--- a/test/integration/targets/apt_key/tasks/main.yml
+++ b/test/integration/targets/apt_key/tasks/main.yml
@@ -32,3 +32,6 @@
  
 - import_tasks: 'file.yml'
   when: ansible_distribution in ('Ubuntu', 'Debian')
+
+- import_tasks: 'apt_key_binary.yml'
+  when: ansible_distribution in ('Ubuntu', 'Debian')
-- 
cgit v1.2.1