diff --git a/scripts/ansible b/scripts/ansible
index 0aa812e25..97bf4923f 100755
--- a/scripts/ansible
+++ b/scripts/ansible
@@ -92,11 +92,19 @@ if [ ! -f /etc/debian_version ]; then    # e.g. RaspiOS, Ubuntu, Mint & Debian
     exit 1
 fi
 
-echo -e "\napt update; install dirmngr; PPA to /etc/apt/sources.list.d/iiab-ansible.list\n"
-$APT_PATH/apt update
-$APT_PATH/apt -y install dirmngr
-echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu $CODENAME main" \
+# 2021-04-26: JV & @holta WIP.  The apt-key command is going away, and the past
+# practice of putting keys in /etc/apt/trusted.gpg.d is considered insecure:
+# https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html
+# https://askubuntu.com/questions/1286545/what-commands-exactly-should-replace-the-deprecated-apt-key/1307181#1307181
+# So we put .gpg key in repo iiab/iiab, also for reliable installs/containers.
+
+#echo -e "\napt update; install dirmngr; PPA to /etc/apt/sources.list.d/iiab-ansible.list\n"
+#$APT_PATH/apt update
+#$APT_PATH/apt -y install dirmngr
+#echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu $CODENAME main" \
+echo "deb [signed-by=/usr/share/keyrings/iiab-ansible-keyring.gpg] http://ppa.launchpad.net/ansible/ansible/ubuntu $CODENAME main" \
      > /etc/apt/sources.list.d/iiab-ansible.list
+
 # In future we might instead consider 'add-apt-repository ppa:ansible/ansible'
 # or 'apt-add-repository ppa:ansible/bionic/ansible' etc, e.g. for streamlined
 # removal using 'apt-add-repository -r' -- however that currently requires
@@ -108,11 +116,15 @@ echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu $CODENAME main" \
 # problem).  This workaround installs 2.9.6-1ppa~disco onto RaspiOS, from
 # https://launchpad.net/~ansible/+archive/ubuntu/ansible
 #echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu disco main" \
-    #    > /etc/apt/sources.list.d/iiab-ansible.list
+#    > /etc/apt/sources.list.d/iiab-ansible.list
 
-echo -e '\nIF YOU FACE ERROR "signatures couldn'"'"'t be verified because the public key is not available" THEN REPEATEDLY RE-RUN "sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 93C4A3FD7BB9C367"\n'
-apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 93C4A3FD7BB9C367
-echo -e 'PPA source "deb http://ppa.launchpad.net/ansible/ansible/ubuntu '$CODENAME' main"'
+# 2021-04-26: JV & @holta WIP: (see above)
+#echo -e '\nIF YOU FACE ERROR "signatures couldn'"'"'t be verified because the public key is not available" THEN REPEATEDLY RE-RUN "sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 93C4A3FD7BB9C367"\n'
+#apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 93C4A3FD7BB9C367
+cp /opt/iiab/iiab/scripts/iiab-ansible-keyring.gpg /usr/share/keyrings/iiab-ansible-keyring.gpg
+#chmod 644 /usr/share/keyrings/iiab-ansible-keyring.gpg
+
+echo -e 'PPA source "deb [signed-by=/usr/share/keyrings/iiab-ansible-keyring.gpg] http://ppa.launchpad.net/ansible/ansible/ubuntu '$CODENAME' main"'
 echo -e "successfully saved to /etc/apt/sources.list.d/iiab-ansible.list\n"
 echo -e "IF *OTHER* ANSIBLE SOURCES APPEAR BELOW, PLEASE MANUALLY REMOVE THEM TO"
 echo -e 'ENSURE ANSIBLE UPDATES CLEANLY: (then re-run this script to be sure!)\n'
diff --git a/scripts/iiab-ansible-keyring.gpg b/scripts/iiab-ansible-keyring.gpg
new file mode 100644
index 000000000..d6f75bbc5
Binary files /dev/null and b/scripts/iiab-ansible-keyring.gpg differ