More facts for apt update issues

[deubert-it]

Use Case

It's two different things, however they both revolve around information regarding apt update state:

1) Expired apt keys
I'd like to get some type of feedback that apt keys for specific active repositories are expired.

Output might look like this

# apt-get update
Hit:1 http://security.debian.org bullseye-security InRelease
Hit:2 http://ftp.de.debian.org/debian bullseye InRelease                
Get:3 https://download.docker.com/linux/debian bullseye InRelease [43,3 kB]               
Hit:4 https://packages.sury.org/php bullseye InRelease                                                
Get:5 http://apt.puppet.com bullseye InRelease [83,8 kB]            
Get:6 https://apt.puppetlabs.com bullseye InRelease [83,8 kB]
Err:5 http://apt.puppet.com bullseye InRelease                        
  The following signatures were invalid: EXPKEYSIG 4528B6CD9E61EF26 Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
Err:6 https://apt.puppetlabs.com bullseye InRelease
  The following signatures were invalid: EXPKEYSIG 4528B6CD9E61EF26 Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
Reading package lists... Done
W: GPG error: http://apt.puppet.com bullseye InRelease: The following signatures were invalid: EXPKEYSIG 4528B6CD9E61EF26 Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
E: The repository 'http://apt.puppet.com bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://apt.puppetlabs.com bullseye InRelease: The following signatures were invalid: EXPKEYSIG 4528B6CD9E61EF26 Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>

Currently the existing apt_update_last_success fact will still be incremented, even with expired keys and only partial success (apt update actually fails with error code 100).

2) Duplicate definitions
We recently found some slightly misconfigured systems because of an oversight regarding cloudinit usage that had the same apt sources defined in multiple places.
Apt update will print several warnings, and I'd also like to get some feedback, as the system might break with the next dist upgrade.

Output in this situation contains something like this:

# apt-get update
Hit:1 http://ftp.de.debian.org/debian bullseye InRelease
Hit:2 http://security.debian.org bullseye-security InRelease                                                                                                        
Hit:3 http://apt.puppet.com bullseye InRelease                                                                                                                      
Hit:4 https://apt.puppetlabs.com bullseye InRelease                                                                                                                 
Get:5 https://download.docker.com/linux/debian bullseye InRelease [43,3 kB]                                             
Hit:6 https://packages.sury.org/php bullseye InRelease                   
Fetched 43,3 kB in 0s (87,2 kB/s)
Reading package lists... Done
W: Target Sources (main/source/Sources) is configured multiple times in /etc/apt/sources.list:3 and /etc/apt/sources.list.d/debian_bullseye.list:4
W: Target Sources (contrib/source/Sources) is configured multiple times in /etc/apt/sources.list:3 and /etc/apt/sources.list.d/debian_bullseye.list:4
W: Target Sources (non-free/source/Sources) is configured multiple times in /etc/apt/sources.list:3 and /etc/apt/sources.list.d/debian_bullseye.list:4
W: Target Packages (main/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Translations (main/i18n/Translation-en_US) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Translations (main/i18n/Translation-en) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Packages (contrib/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Packages (contrib/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Translations (contrib/i18n/Translation-en_US) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Translations (contrib/i18n/Translation-en) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Packages (non-free/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Packages (non-free/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Translations (non-free/i18n/Translation-en_US) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Translations (non-free/i18n/Translation-en) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Sources (main/source/Sources) is configured multiple times in /etc/apt/sources.list:3 and /etc/apt/sources.list.d/debian_bullseye.list:4
W: Target Sources (contrib/source/Sources) is configured multiple times in /etc/apt/sources.list:3 and /etc/apt/sources.list.d/debian_bullseye.list:4
W: Target Sources (non-free/source/Sources) is configured multiple times in /etc/apt/sources.list:3 and /etc/apt/sources.list.d/debian_bullseye.list:4
W: Target Packages (main/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Translations (main/i18n/Translation-en_US) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Translations (main/i18n/Translation-en) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Packages (contrib/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Packages (contrib/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Translations (contrib/i18n/Translation-en_US) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Translations (contrib/i18n/Translation-en) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Packages (non-free/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Packages (non-free/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Translations (non-free/i18n/Translation-en_US) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3
W: Target Translations (non-free/i18n/Translation-en) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list.d/debian_bullseye.list:3

However in this case the apt update exit code is 0.

Describe the Solution You Would Like

I'd be happy with apt_update_has_warnings and apt_update_has_errors facts that would help detecting both scenarios. This would probably need another apt post-update hook script, similar to the update-stamp.

Describe Alternatives You've Considered

Regarding expired keys, an alternative way could be to automatically add some validation for all keys that are managed via the apt module. We know which keys we want to use, so we are probably interested in those keys expiring (add validation to the plugin execution directly validating expiration dates).