Reminder: Puppet Platform GPG signing changes starting November 2, 2020, action may be required

[Eric Griswold]

Why This Change

Puppet sets its package signing keys to expire on a set schedule for good security practices.

Summary

On November 2, 2020, Puppet Release Engineering will start signing Puppet Platform and Puppet Enterprise packages with an updated GPG key.

This is an explanation of how various existing users will be affected by this change and what actions they will need to take.

FOSS users can update their release packages and import the new GPG key now so that when the GPG key changes, they will not see any problems installing software.

Puppet Enterprise Users

Puppet Enterprise users do not need to take any specific action, the GPG change will be handled inside the PE installer.

FOSS Users

Puppet Release Engineering updated the yum and apt release packages to contain both the new key and the current key just before June 3, 2020. If you have installed or updated the release package since that date you should already have the new key.

SLES users, however, need to take an additional step:

SLES Users

SLES users need to take these steps. (Replace "puppet-release" with "puppet5-release" or "puppet6-release" if you are using those packages)

1. Download the updated GPG key:
   $ curl --remote-name --location https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406

2. Import the updated GPG key:
   $ sudo rpm --import RPM-GPG-KEY-puppet-20250406

3. Update the SLES puppet-release package
   $ sudo zypper update puppet-release

All Other FOSS users

All other FOSS users need only upgrade to the latest puppet-release package. (Replace "puppet-release" with "puppet5-release" or "puppet6-release" if you are using those packages)

For the apt users:  $ sudo apt-get upgrade puppet-release

For the yum users: $ sudo yum update puppet-release

Further Notes

Puppet GPG signing key, 2020 edition contains this and some more information about updating the GPG key using Puppet.