From 2354a8fb8c52622c20e2e7bf828a7710b6d525ac Mon Sep 17 00:00:00 2001
From: Kris Lamoureux <kris@lamoureux.io>
Date: Thu, 19 Oct 2023 13:37:35 -0400
Subject: [PATCH] Verify successful GPG imports

---
 roles/base/tasks/system.yml | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/roles/base/tasks/system.yml b/roles/base/tasks/system.yml
index 4ddeef1..ae57615 100644
--- a/roles/base/tasks/system.yml
+++ b/roles/base/tasks/system.yml
@@ -18,9 +18,20 @@
   when: root_gpgkeys is defined
 
 - name: Import GPG keys
-  command: "gpg --keyserver {{ item.server | default('keys.openpgp.org') }} --recv-key {{ item.id }}"
-  loop: "{{ root_gpgkeys }}"
-  when: root_gpgkeys is defined and gpg_check.results | map(attribute='rc') | list != [0]
+  command: "gpg --keyserver {{ item.0.server | default('keys.openpgp.org') }} --recv-key {{ item.0.id }}"
+  register: gpg_check_import
+  loop: "{{ root_gpgkeys | zip(gpg_check.results) | list }}"
+  loop_control:
+    label: "{{ item.0.id }}"
+  when: root_gpgkeys is defined and item.1.rc != 0
+
+- name: Check GPG key imports
+  fail:
+    msg: "{{ item.stderr }}"
+  loop: "{{ gpg_check_import.results }}"
+  loop_control:
+    label: "{{ item.item.0.id }}"
+  when: (item.skipped | default(false) == false) and ('imported' not in item.stderr)
 
 - name: Install NTPsec
   ansible.builtin.apt: