Warn about short key IDs when using ansible.builtin.apt_key module

[KamilaBorowska]

ansible-lint should warn when using 32-bit key IDs (8 characters) in apt_key module as they are insecure due to their length (https://evil32.com/). For example:

- name: Add an Apt signing key, will not download if present
  ansible.builtin.apt_key:
    id: 473041FA
    url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
    state: present

This can be written as follows:

- name: Add an Apt signing key, will not download if present
  ansible.builtin.apt_key:
    id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
    url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
    state: present

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_key_module.html recommends against this practice: "Use full fingerprint (40 characters) key ids to avoid key collisions."

[apatard]

I can't answer for ansible-lint maintainers but I'm a little bit puzzled by this. I guess adding a rule should not be hard and PR are welcome, but I'm not sure what's the value of adding a rule for something deprecated in Debian/Ubuntu.

[MarkusTeufelberger]

Well, it is deprecated in new versions and not all old versions support the new style with trusted.gpg.d. After all, Ansible Modules are still written and maintained in Python 2 to this day to keep backward compatibility.