You might want to consider using CmdRunner. See https://docs.ansible.com/ansible/latest/collections/community/general/docsite/guide_cmdrunner.html for more details.

How does the PR ensure that the key is not expired? If the key provided to the module is already expired, I don't see how the module can change that.

It can't extend keys of course, you're right. It just won't return a success status if the key is expired.

Maybe "Ensures/checks" would be clearer? How long are these descriptions supposed to be?

The descriptions should be long enough that it's clear what the option actually does.

I would move the description for trusted into a new paragraph (instead of cramming everything into a single paragraph).

You should mention when trusted was added:

Also formatting the state names as values is IMO a good idea.

If you're not opposed to folding the new functionality into the present state, I think that would be preferable. IMHO the currently implemented functionality of the present state does not solve a real life use case.

I think this would be a breaking change, since this considerably changes the behavior of state=present. Since we don't accept breaking changes this isn't really acceptable.

(That's why I would solve this not with a new state, but with an option. That way we can deprecate its default, and eventually change it to the better behavior, and fix the issue that way.)

Thanks! Finally got around to making the change to make it an option now.

I squashed all commits now, but I could restore the individual commits as well of course. Just let me know what's easier to review. Not super familiar with GitHub review workflows.

The function gpg_gather_all() does more than just gathering, it also filters. TBH, I think that function is doing more than it should and the code would be leaner if it only returned the list of GpgListResult objects. Then, the code here could be changed to:

I think that makes it easier for the reader to understand what is really going on.

Same applies to line 341 above.

My thinking was that it gathers the key of all kind GPG results. I'm not really convinced that the list comprehension is easier to understand tbh.

Well, list comprehensions some people love them, some people don't. You can guess my type ;-).

Anyways, I'm OK without the comprehension, but simple fact that you had to add more words to explain what the function does is a good sign that its name could be improved. Maybe gather_key_from_all() ? Your thinking makes sense for you who wrote this about now. Someone else, one year from now, will read this code out of the blue and they will have to go up and down the file, read that function, see what it does, just to figure out what took a couple of words to explain. So, the point is, do the explaining now, save everybody else (including yourself 1, 3 or 5 years from now) that time later on.

As suggested before, this could/should be simpler, as:

And that would make this one:

Maybe rename it to parse_gpg_list?

Apparently **kwargs is here just to handle the different cases of check_rc. That being the case, I would suggest to drop the ** thing and make it explicit:

or whichever default value you prefer, then adjust the calls to that method accordingly - I mean, the calls will work as they are right now, but you might want to remove the extra parameter for the default value (True in my suggestion).

The function doesn't do anything with check_rc. IMHO **kwargs conveys that it's only passed through.

@russoz means that kwargs right now is only ever used for check_rc, so it's better to make this more explicit.

The same is true for pacman_key()'s **kwargs.

Yeah, I got that. What I was trying to say was that both functions are just wrappers around gpg/pacman-key via module.run_command, and having the parameters of the wrapped function not named explicitly helps conveying which function (wrapper/wrapped) owns which set of parameters. I acknowledge that the benefit may be slim as the size of each set is currently small (2 and 1).

For some empirical evidence, the top answers in https://stackoverflow.com/questions/1415812/why-use-kwargs-in-python-what-are-some-real-world-advantages-over-using-named for example mention wrappers as a valid use case for usage of **kwargs, so I think the use here matches common expectations.

In addition to the semantics it e.g. enables IDEs that support it to show all parameters + any present doc strings supported by run_command on these functions, without having to duplicate them.

That said, if you feel strongly about it, happy to change it. Just wanted to clarify that it was a deliberate choice.

Not that strong. I still think the readability would be improved by naming - or removing that parameter as it is not used - but happy to merge the PR as-is wrt this.

That ship has sailed, please update to