update apt key for puppetlabs and verify signature
2,252 views
Skip to first unread message
rapid7bob
Jul 9, 2012, 3:30:06 PM7/9/12
to Puppet Users
I did a set of google searches looking for the answer to this
question, but didn't find any good ones. Since I believe the
community may benefit from my experience, I thought I'd post it.
While updating patches on ubuntu 10.04 on a staging puppet
environment, I noticed the apt key for puppetlabs had expired. Rather
than blindly installing a keyring package that may not be verified, I
decided to verify manually. Here are the steps:
"apt-get clean && apt-get update" yeilds
...
Get:2 http://apt.puppetlabs.com lucid Release [8,845B]
...
W: GPG error: http://apt.puppetlabs.com lucid Release: The
following signatures were invalid: KEYEXPIRED 1341792832
"apt-key list" shows:
...
/etc/apt/trusted.gpg.d/pl-keyring.gpg
-------------------------------------
pub 4096R/4BD6EC30 2010-07-10 [expired: 2012-07-09]
uid Puppet Labs Release Key (Puppet Labs Release
Key) <in...@puppetlabs.com>
"gpg --recv-key 4BD6EC30" says:
gpg: requesting key 4BD6EC30 from hkp server keys.gnupg.net
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 4BD6EC30: public key "Puppet Labs Release Key (Puppet
Labs Release Key) <in...@puppetlabs.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
"gpg --list-key --fingerprint 4BD6EC30" reports:
pub 4096R/4BD6EC30 2010-07-10 [expires: 2016-07-08]
Key fingerprint = 47B3 20EB 4C7C 375A A9DA E1A0 1054 B7A2
4BD6 EC30
uid Puppet Labs Release Key (Puppet Labs Release
Key) <in...@puppetlabs.com>
I checked and fingerprint matches the one listed at
http://projects.puppetlabs.com/projects/1/wiki/Downloading_Puppet#Verifying+Puppet+Downloads.
After running, "apt-key adv --keyserver keys.gnupg.net --recv-keys
4BD6EC30", apt-get update runs without error.
note to moderators: I don't know if this information has already been
posted, but just in case it hasn't, here it is. It may not be
encountered by others depending on timing of their installation/
configuration.
Bob
question, but didn't find any good ones. Since I believe the
community may benefit from my experience, I thought I'd post it.
While updating patches on ubuntu 10.04 on a staging puppet
environment, I noticed the apt key for puppetlabs had expired. Rather
than blindly installing a keyring package that may not be verified, I
decided to verify manually. Here are the steps:
"apt-get clean && apt-get update" yeilds
...
Get:2 http://apt.puppetlabs.com lucid Release [8,845B]
...
W: GPG error: http://apt.puppetlabs.com lucid Release: The
following signatures were invalid: KEYEXPIRED 1341792832
"apt-key list" shows:
...
/etc/apt/trusted.gpg.d/pl-keyring.gpg
-------------------------------------
pub 4096R/4BD6EC30 2010-07-10 [expired: 2012-07-09]
uid Puppet Labs Release Key (Puppet Labs Release
Key) <in...@puppetlabs.com>
"gpg --recv-key 4BD6EC30" says:
gpg: requesting key 4BD6EC30 from hkp server keys.gnupg.net
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 4BD6EC30: public key "Puppet Labs Release Key (Puppet
Labs Release Key) <in...@puppetlabs.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
"gpg --list-key --fingerprint 4BD6EC30" reports:
pub 4096R/4BD6EC30 2010-07-10 [expires: 2016-07-08]
Key fingerprint = 47B3 20EB 4C7C 375A A9DA E1A0 1054 B7A2
4BD6 EC30
uid Puppet Labs Release Key (Puppet Labs Release
Key) <in...@puppetlabs.com>
I checked and fingerprint matches the one listed at
http://projects.puppetlabs.com/projects/1/wiki/Downloading_Puppet#Verifying+Puppet+Downloads.
After running, "apt-key adv --keyserver keys.gnupg.net --recv-keys
4BD6EC30", apt-get update runs without error.
note to moderators: I don't know if this information has already been
posted, but just in case it hasn't, here it is. It may not be
encountered by others depending on timing of their installation/
configuration.
Bob
Felix Frank
Jul 10, 2012, 9:42:15 AM7/10/12
to puppet...@googlegroups.com
Hi,
thanks for sharing, but apperently you missed the new key being
announced to this group by Matthaus Litteken on July 5th. That would
probably have saved you lots of trouble.
Cheers,
Felix
thanks for sharing, but apperently you missed the new key being
announced to this group by Matthaus Litteken on July 5th. That would
probably have saved you lots of trouble.
Cheers,
Felix
rapid7bob
Jul 10, 2012, 2:04:05 PM7/10/12
to puppet...@googlegroups.com
Yes, new to the group -- thanks. It took about 10 minutes to find and had I searched on the keyid and updated before the expiration, it would have been easier. Unfortunately, I was out of the office and it was fairly short notice over a holiday week (at least in the US).
Cheers!
Bob
krish
Aug 3, 2012, 2:05:25 AM8/3/12
to puppet...@googlegroups.com
On Tue, Jul 10, 2012 at 7:12 PM, Felix Frank
<felix...@alumni.tu-berlin.de> wrote:
> Hi,
>
> thanks for sharing, but apperently you missed the new key being
> announced to this group by Matthaus Litteken on July 5th. That would
> probably have saved you lots of trouble.
>
> Cheers,
> Felix
I did a
<felix...@alumni.tu-berlin.de> wrote:
> Hi,
>
> thanks for sharing, but apperently you missed the new key being
> announced to this group by Matthaus Litteken on July 5th. That would
> probably have saved you lots of trouble.
>
> Cheers,
> Felix
gpg --refresh-keys; gpg --recv-keys 4BD6EC30
as per that email
And the key is still showing expired.
# apt-key list | grep -B1 "Puppet Labs"
pub 4096R/4BD6EC30 2010-07-10 [expired: 2012-07-09]
uid Puppet Labs Release Key (Puppet Labs Release Key)
<in...@puppetlabs.com>
--
uid Puppet Labs Release Key (Puppet Labs Release Key)
<in...@puppetlabs.com>
Krish
Hey! Checkout my new startup * www.toonheart.com *
Like Us if you Like Us! - facebook.com/toonheart
Reply all
Reply to author
Forward
0 new messages