Ansible still uses "apt-key add" to add keys. I asked the Ansible team to consider moving to just placing new keys in /etc/apt/trusted.gpg.d/ in this github issue:
https://github.com/ansible/ansible/issues/55590 (I suggested this because it's the guidance offered in the current apt-key manpage).
However, the Ansible team is concerned that changing approach will make it impossible to use Ansible to add keys to older Debian releases which lack support for /etc/apt/trusted.gpg.d/. I don't know how old such a release would need to be for this to matter, though. I'm also not privy to the future plans of the APT maintainers, so I don't know how long to expect "apt-key add" to continue to be supported.
if Ansible doesn't migrate until "apt-key add" actually stops working, then Ansible users will end up with broken playbooks. Could someone from the APT team comment on the bug with a view to agreeing how & when to migrate?
(It's my understanding that there is also an impetus to move the keys out of that tree and instead configure a per-release key in sources.list ... but I don't know what the status of that plan is, or what the best migration plan would be; if there really is a plan to make that change in APT, perhaps you could comment on this aspect in the github bug, too)
Thanks in advance,
James.