[ann] Action Required: New Puppet Inc. Public Key
Ryan McKern
Bottom line on top: Puppet is preparing to roll out a new GPG signing key for both Open Source and Puppet Enterprise products on Linux platforms because the current key expires in January 2017. Please update your puppetlabs-release package or add the new public key to the package manager’s key ring on any machines which use Puppet’s packages as products shipped after September 12 2016 will be signed using the new key.
THE “WHAT” AND THE “WHY”
The current "classic" Puppet Labs GPG public key (UID in...@puppetlabs.com, long key ID 0x1054B7A24BD6EC30) will expire on January 05 2017. Rather than extend the key expiration date any further, Puppet is issuing a new GPG public key (UID rel...@puppet.com, long key ID 0x7F438280EF8D349F).
Puppet will begin signing new Linux packages and Puppet Enterprise releases with the new GPG signing key after September 12 2016. Please update any puppetlabs-release packages you may have installed as they are made available; new puppetlabs-release packages contain both the “classic” public key and the new public key. If you are not using a puppetlabs-release package to manage Yum or Apt GPG keys, please manually add the new key to the appropriate keyrings.
THE “HOW”
Updating the puppetlabs-release package on Red Hat Enterprise Linux platforms
This information applies to RHEL itself, as well as any distributions that maintain binary compatibility with it, including but not limited to CentOS, Scientific Linux, and Oracle Linux. The instructions also apply to Fedora Linux. To upgrade the puppetlabs-release package, run the command below:
$ sudo yum update puppetlabs-release-pc1
Updating the puppetlabs-release package on Debian and Ubuntu platforms:
We publish and test puppetlabs-release packages for the following versions of Debian:
Debian 8 “Jessie” (current stable release)
Debian 7 “Wheezy” (previous stable release)
Debian 6 “Squeeze”
We also publish and test puppetlabs-release packages for the following versions of Ubuntu:
Ubuntu 16.04 LTS “Xenial Xerus”
Ubuntu 15.10 “Wily Werewolf”
Ubuntu 15.04 “Vivid Vervet”
Ubuntu 14.04 LTS “Trusty Tahr”
Ubuntu 12.04 LTS “Precise Pangolin”
We also publish and test puppetlabs-release packages for the following Debian-derived embedded platforms:
Cumulus Linux 2.2
huaweios
To upgrade the puppetlabs-release package, run the command below:
$ sudo apt-get upgrade puppetlabs-release-pc1
Manually importing the new GPG public key on Red Hat Enterprise Linux platforms
If you are not using a puppetlabs-release package to provide the yum.puppetlabs.com Yum repository definitions, you can manually add the new GPG public key to the RPM keyring:
$ curl --remote-name --location https://yum.puppetlabs.com/RPM-GPG-KEY-puppet
$ gpg --keyid-format 0xLONG --with-fingerprint ./RPM-GPG-KEY-puppet
pub 4096R/0x7F438280EF8D349F 2016-08-18 Puppet, Inc. Release Key (Puppet, Inc. Release Key) <rel...@puppet.com>
Key fingerprint = 6F6B 1550 9CF8 E59E 6E46 9F32 7F43 8280 EF8D 349F
sub 4096R/0xA2D80E04656674AE 2016-08-18 [expires: 2021-08-17]
$ rpm --import RPM-GPG-KEY-puppet
Manually importing the new GPG public key on Debian and Ubuntu platforms
If you are not using a puppetlabs-release package to provide the apt.puppetlabs.com Apt repository definitions, you can manually add the new GPG public key to the Apt keyring:
$ curl --remote-name --location https://apt.puppetlabs.com/DEB-GPG-KEY-puppet
$ gpg --keyid-format 0xLONG --with-fingerprint ./DEB-GPG-KEY-puppet
pub 4096R/0x7F438280EF8D349F 2016-08-18 Puppet, Inc. Release Key (Puppet, Inc. Release Key) <rel...@puppet.com>
Key fingerprint = 6F6B 1550 9CF8 E59E 6E46 9F32 7F43 8280 EF8D 349F
sub 4096R/0xA2D80E04656674AE 2016-08-18 [expires: 2021-08-17]
$ apt-key add DEB-GPG-KEY-puppet