diff --git a/manifests/key.pp b/manifests/key.pp
index 24eef9e9cf..68e0c76330 100644
--- a/manifests/key.pp
+++ b/manifests/key.pp
@@ -26,21 +26,22 @@
   # apt::source resources that all reference the same key.
   case $ensure {
     present: {
+
+      anchor { "apt::key/$title":; }
+
       if defined(Exec["apt::key $key absent"]) {
         fail ("Cannot ensure Apt::Key[$key] present; $key already ensured absent")
-      } elsif !defined(Exec["apt::key $key present"]) {
-        # this is a marker to ensure we don't simultaneously define a key
-        # ensure => absent AND ensure => present
-        exec { "apt::key $key present":
-          path   => "/",
-          onlyif => "/bin/false",
-          noop   => true;
-        }
       }
+
+      if !defined(Anchor["apt::key $key present"]) {
+        anchor { "apt::key $key present":; }
+      }
+
       if !defined(Exec[$digest]) {
         exec { $digest:
           path    => "/bin:/usr/bin",
           unless  => "/usr/bin/apt-key list | /bin/grep '${key}'",
+          before  => Anchor["apt::key $key present"],
           command => $method ? {
             "content" => "echo '${key_content}' | /usr/bin/apt-key add -",
             "source"  => "wget -q '${key_source}' -O- | apt-key add -",
@@ -48,11 +49,16 @@
           };
         }
       }
+
+      Anchor["apt::key $key present"] -> Anchor["apt::key/$title"]
+
     }
     absent: {
-      if defined(Exec["apt::key $key present"]) {
+
+      if defined(Anchor["apt::key $key present"]) {
         fail ("Cannot ensure Apt::Key[$key] absent; $key already ensured present")
       }
+
       exec { "apt::key $key absent":
         path    => "/bin:/usr/bin",
         onlyif  => "apt-key list | grep '$key'",
@@ -61,6 +67,7 @@
         group   => "root",
       }
     }
+
     default: {
       fail "Invalid 'ensure' value '$ensure' for aptkey"
     }
diff --git a/spec/defines/key_spec.rb b/spec/defines/key_spec.rb
index 88038d2783..a15000765e 100644
--- a/spec/defines/key_spec.rb
+++ b/spec/defines/key_spec.rb
@@ -57,13 +57,13 @@
       it {
         if [:present, 'present'].include? param_hash[:ensure]
           should_not contain_exec("apt::key #{param_hash[:key]} absent")
-          should contain_exec("apt::key #{param_hash[:key]} present")
+          should contain_anchor("apt::key #{param_hash[:key]} present")
           should contain_exec(digest).with({
             "path"    => "/bin:/usr/bin",
             "unless"  => "/usr/bin/apt-key list | /bin/grep '#{param_hash[:key]}'"
           })
         elsif [:absent, 'absent'].include? param_hash[:ensure]
-          should_not contain_exec("apt::key #{param_hash[:key]} present")
+          should_not contain_anchor("apt::key #{param_hash[:key]} present")
           should contain_exec("apt::key #{param_hash[:key]} absent").with({
             "path"    => "/bin:/usr/bin",
             "onlyif"  => "apt-key list | grep '#{param_hash[:key]}'",
@@ -93,22 +93,29 @@
       }
 
     end
+  end
 
+  [{ :ensure => 'present' }, { :ensure => 'absent' }].each do |param_set|
     describe "should correctly handle duplicate definitions" do
+
       let :pre_condition do
-        "apt::key { 'duplicate': key => '#{params[:key]}'; }"
+        "apt::key { 'duplicate': key => '#{title}'; }"
       end
 
+      let(:params) { param_set }
+
       it {
-        if [:present, 'present'].include? param_hash[:ensure]
-          should contain_exec("apt::key #{param_hash[:key]} present")
-          should contain_apt__key("duplicate")
+        if param_set[:ensure] == 'present'
+          should contain_anchor("apt::key #{title} present")
           should contain_apt__key(title)
-        elsif [:absent, 'absent'].include? params[:ensure]
+          should contain_apt__key("duplicate")
+        elsif param_set[:ensure] == 'absent'
           expect { should raise_error(Puppet::Error) }
         end
       }
 
     end
   end
+
 end
+