Reminder: Puppet Platform GPG signing changes starting November 2, 2020, action may be required

388 views
Skip to first unread message

Eric Griswold

unread,
Oct 21, 2020, 7:24:41 PM10/21/20
to Puppet Users
Why This Change

Puppet sets its package signing keys to expire on a set schedule for good security practices.

Summary

On November 2, 2020, Puppet Release Engineering will start signing Puppet Platform and Puppet Enterprise packages with an updated GPG key.

This is an explanation of how various existing users will be affected by this change and what actions they will need to take.

FOSS users can update their release packages and import the new GPG key now so that when the GPG key changes, they will not see any problems installing software.

Puppet Enterprise Users

Puppet Enterprise users do not need to take any specific action, the GPG change will be handled inside the PE installer.

FOSS Users

Puppet Release Engineering updated the yum and apt release packages to contain both the new key and the current key just before June 3, 2020. If you have installed or updated the release package since that date you should already have the new key.


SLES users, however, need to take an additional step:

SLES Users

SLES users need to take these steps. (Replace "puppet-release" with "puppet5-release" or "puppet6-release" if you are using those packages)

  1. Download the updated GPG key: $ curl --remote-name --location https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406

  2. Import the updated GPG key: $ sudo rpm --import RPM-GPG-KEY-puppet-20250406

  3. Update the SLES puppet-release package $ zypper update puppet-release

All Other FOSS users

All other FOSS users need only upgrade to the latest puppet-release package. (Replace "puppet-release" with "puppet5-release" or "puppet6-release" if you are using those packages)

For the apt users:  $ sudo apt-get upgrade puppet-release

For the yum users: $ sudo yum update puppet-release

Further Notes

Puppet GPG signing key, 2020 edition contains this and some more information about updating the GPG key using Puppet.

Eric Griswold

Puppet Release Engineering

Eric Griswold

unread,
Jan 11, 2021, 5:05:04 PM1/11/21
to Puppet Users

Puppet Platform GPG signing was initially scheduled for November last year but it was delayed until just now.

Today I made the internal change to start signing with the updated key.

Andy Hall

unread,
Jan 12, 2021, 6:43:41 AM1/12/21
to Puppet Users
hey eric why do we not see the latest key in the release packages then ? thanks.

# yum info puppet-release
Available Packages
Name        : puppet-release
Arch        : noarch
Version     : 1.0.0
Release     : 14.el6
Description : Release packages for the Puppet repository
            : 
            : Contains the following components:
            : gpg_key 2019.4.8
            : repo_definition 2020.06.02

# yum info puppet6-release
Available Packages
Name        : puppet6-release
Arch        : noarch
Version     : 6.0.0
Release     : 10.el6
Description : Release packages for the Puppet 6 repository
            : 
            : Contains the following components:
            : gpg_key 2019.4.8
            : repo_definition 2020.05.18

Eric Griswold

unread,
Jan 12, 2021, 2:01:46 PM1/12/21
to Puppet Users
Hi Andy,

Sorry for the confusion. Let's see if I can clear it up.

The release packages already contain both the old key (due to expire August 17, 2021) and the new key (due to expire April 6, 2025). They've been this way since last July. The Description is misleading, I admit.

Yesterday, I flipped an internal switch that any packages released after the switch would be signed with the new key. Puppet Platform will continue their normal release process and will be viable with either key until the old one expires in August.

As this rolls out in the coming weeks, I won't be terribly surprised if there's an occasional unforeseen problem with a package.  I encourage bringing any issues to our attention and we'll work to fix them as quickly as I can.

Eric

Andy Hall

unread,
Jan 15, 2021, 9:37:59 AM1/15/21
to Puppet Users
OK great that makes sense...in fact I guess you mean since July 2019 as I see the newer key in puppet6-release from a while ago which is good...

# rpm -qi puppet6-release
Name        : puppet6-release 
Version     : 6.0.0 
Release     : 5.el6  
Install Date: Sat 28 Sep 2019 01:15:09 PM BST

# rpm -ql puppet6-release
/etc/pki/rpm-gpg/RPM-GPG-KEY-2025-04-06-puppet6-release
/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet6-release

Thanks.

Reply all
Reply to author
Forward
0 new messages