use signed repos

roles/mastodon/tasks/system_setup/prepare_packagemanager.yml

@@ -7,6 +7,14 @@
     - { id: "72ECF46A56B4AD39C907BBB71646B01B86E50310", url: "https://dl.yarnpkg.com/debian/pubkey.gpg" }
     - { id: "9FD3B784BC1C6FC31A8A0A1C1655A0AB68576280", url: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key" } 
 
+- name: mastodon | package manager | download gpg keys
+  get_url:
+    url: "{{ item.url }}"
+    dest: "/usr/share/keyrings/{{ item.localkey }}"
+  loop:
+    - { url: "https://dl.yarnpkg.com/debian/pubkey.gpg", localkey: "yarnkey.gpg" }
+    - { url: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key", localkey: "nodesource.gpg.key" }
+
 - name: mastodon | package manager | add repos
   apt_repository:
     repo: "{{ item.repo }}"
@@ -16,6 +24,6 @@
     validate_certs: yes # not required. If C(no), SSL certificates for the target repo will not be validated. This should only be used on personally controlled sites using self-signed certificates.
     filename: "{{ item.filename }}"
   loop:
-    - { repo: "deb https://dl.yarnpkg.com/debian/ stable main", filename: "yarn"}
-    - { repo: "deb https://deb.nodesource.com/node_{{ node_major_version }}.x {{ ansible_lsb.codename }} main", filename: "nodejs"}
-    - { repo: "deb-src https://deb.nodesource.com/{{ node_major_version }}.x {{ ansible_lsb.codename }} main", filename: "nodejs"}
+    - { repo: "deb [signed-by="/usr/share/keyrings/yarnkey.gpg"] https://dl.yarnpkg.com/debian/ stable main", filename: "yarn"}
+    - { repo: "deb [signed-by="/usr/share/keyrings/nodesource.gpg.key"] https://deb.nodesource.com/node_{{ node_major_version }}.x {{ ansible_lsb.codename }} main", filename: "nodejs"}
+    - { repo: "deb-src [signed-by="/usr/share/keyrings/nodesource.gpg.key"] https://deb.nodesource.com/{{ node_major_version }}.x {{ ansible_lsb.codename }} main", filename: "nodejs"}