Installing Jenkins with Puppet fails to import GPG key

Michael Harris

unread,

Apr 25, 2012, 7:22:12 PM4/25/12

to puppet...@googlegroups.com

I've asked this question over on serverfault, but had no response.

I'm trying to install Jenkins with Puppet using the manifests below.

# init.pp

class jenkins {

include jenkins::install, jenkins::service

}

# service.pp

class jenkins::service {

service { "jenkins":

ensure => running,

hasstatus => true,

hasrestart => true,

enable => true,

require => Class["jenkins::install"],

}

# install.pp

class jenkins::install {

include jenkins::install::repo

include jenkins::install::java

package { "jenkins":

ensure => present,

require => Class['jenkins::install::repo','jenkins::install::java'],

}

# install/repo.pp

class jenkins::install::repo {

file { "/etc/pki/rpm-gpg/jenkins-ci.org.key":

owner => root,

group => root,

mode => 0600,

source => "puppet:///jenkins/jenkins-ci.org.key"

}

yumrepo { "jenkins":

baseurl => "http://pkg.jenkins-ci.org/redhat",

descr => "Jenkins",

enabled => 1,

gpgcheck => 1,

gpgkey => "file:///etc/pki/rpm-gpg/jenkins-ci.org.key",

require => File["/etc/pki/rpm-gpg/jenkins-ci.org.key"]

}

# install/java.pp

class jenkins::install::java {

package { "java-1.6.0-openjdk":

ensure => present,

}

The repo is added and the key written to the file system. However, I get the following error.

err: /Stage[main]/Jenkins::Install/Package[jenkins]/ensure: change from absent to present failed: Execution of '/usr/bin/yum -d 0 -e 0 -y install jenkins' returned 1: warning: rpmts_HdrFromFdno: Header V4 DSA signature: NOKEY, key ID d50582e6

Traceback (most recent call last):

File "/usr/bin/yum", line 29, in ?

yummain.user_main(sys.argv[1:], exit_code=True)

File "/usr/share/yum-cli/yummain.py", line 309, in user_main

errcode = main(args)

File "/usr/share/yum-cli/yummain.py", line 261, in main

return_code = base.doTransaction()

File "/usr/share/yum-cli/cli.py", line 410, in doTransaction

if self.gpgsigcheck(downloadpkgs) != 0:

File "/usr/share/yum-cli/cli.py", line 510, in gpgsigcheck

self.getKeyForPackage(po, lambda x, y, z: self.userconfirm())

File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 3519, in getKeyForPackage

keys = self._retrievePublicKey(keyurl, repo)

File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 3484, in _retrievePublicKey

keys_info = misc.getgpgkeyinfo(rawkey, multiple=True)

File "/usr/lib/python2.4/site-packages/yum/misc.py", line 375, in getgpgkeyinfo

raise ValueError(str(e))

ValueError: unknown pgp packet type 17 at 706

This suggests to me that the key isn't being imported successfully, and `rpm -qa gpg-pubkey` doesn't show the key. If I manually `yum install jenkins` without the key imported I get the same error. With the key imported, the manual installation succeeds.

I'm successfully installing other yum repos and keys standalone (basically the `install/repo.pp` manifest as its own module), such as EPEL, but as this repo is only for Jenkins I wanted to include it in my Jenkins module.

Is there something wrong with my manifests? Or some other problem?

**UPDATE**:

If I run this manifest on the node with `puppet apply jenkins.pp` I get the following error. I don't know if this is part of the problem or a red herring.

# jenkins.pp

file { "/etc/pki/rpm-gpg/jenkins-ci.org.key":

owner => root,

group => root,

mode => 0600,

source => "/root/jenkins-ci.org.key"

}

yumrepo { "jenkins":

baseurl => "http://pkg.jenkins-ci.org/redhat",

descr => "Jenkins",

enabled => 1,

gpgcheck => 1,

gpgkey => "file:///etc/pki/rpm-gpg/jenkins-ci.org.key",

require => File["/etc/pki/rpm-gpg/jenkins-ci.org.key"]

}

# output

warning: Could not retrieve fact fqdn

notice: /Stage[main]//File[/etc/pki/rpm-gpg/jenkins-ci.org.key]/ensure: defined content as '{md5}9fa06089848262c5a6383ec27fdd2575'

notice: /Stage[main]//Yumrepo[jenkins]/descr: descr changed '' to 'Jenkins'

notice: /Stage[main]//Yumrepo[jenkins]/baseurl: baseurl changed '' to 'http://pkg.jenkins-ci.org/redhat'

notice: /Stage[main]//Yumrepo[jenkins]/enabled: enabled changed '' to '1'

notice: /Stage[main]//Yumrepo[jenkins]/gpgcheck: gpgcheck changed '' to '1'

notice: /Stage[main]//Yumrepo[jenkins]/gpgkey: gpgkey changed '' to 'file:///etc/pki/rpm-gpg/jenkins-ci.org.key'

notice: Finished catalog run in 0.11 seconds

err: /File[/var/lib/puppet/rrd]/ensure: change from absent to directory failed: Could not set 'directory on ensure: Could not find group puppet

err: Could not send report: Got 1 failure(s) while initializing: change from absent to directory failed: Could not set 'directory on ensure: Could not find group puppet

Again, the repo is added but the key is not imported.

Any advice would be greatly appreciated.

Denmat

unread,

Apr 25, 2012, 9:17:05 PM4/25/12

to puppet...@googlegroups.com

Hi,

The way that i import my keys is to set the gpg key for the yum repo like so:

yumrepo { "jenkins":

baseurl => "http://pkg.jenkins-ci.org/redhat",

descr => "Jenkins",

enabled => 1,

gpgcheck => 1,

gpgkey => "http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key",

}

Should take care of the import for you.

The 'updated' issue is probably irrelevant.

Cheers

Den

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/vXiEqP6KCt4J.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Michael Harris

unread,

Apr 26, 2012, 3:51:00 AM4/26/12

to puppet...@googlegroups.com

On Thursday, 26 April 2012 11:17:05 UTC+10, denmat wrote:

The way that i import my keys is to set the gpg key for the yum repo like so:

yumrepo { "jenkins":
baseurl => "http://pkg.jenkins-ci.org/redhat",
descr => "Jenkins",
enabled => 1,
gpgcheck => 1,
gpgkey => "http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key",
}

Should take care of the import for you.

Cool, I didn't know I could specify a URL for the key, thanks.

However, I get the same error and the key still fails to import.

cheers, Michael

denmat

unread,

Apr 26, 2012, 4:33:18 AM4/26/12

to puppet...@googlegroups.com

Hi, I just spun up a fresh AWS instance and did this:

$ cat puppet.repo.pp
class jenkins {

yumrepo { "jenkins":
baseurl => "http://pkg.jenkins-ci.org/redhat",
descr => "Jenkins",
enabled => 1,
gpgcheck => 1,
gpgkey => "http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key",
}

package {"jenkins": ensure => latest }
}

include jenkins

$ sudo puppet apply puppet.repo.pp
notice: /Stage[main]/Jenkins/Yumrepo[jenkins]/descr: descr changed ''
to 'Jenkins'
notice: /Stage[main]/Jenkins/Yumrepo[jenkins]/baseurl: baseurl changed
'' to 'http://pkg.jenkins-ci.org/redhat'
notice: /Stage[main]/Jenkins/Yumrepo[jenkins]/enabled: enabled changed '' to '1'
notice: /Stage[main]/Jenkins/Yumrepo[jenkins]/gpgcheck: gpgcheck
changed '' to '1'
notice: /Stage[main]/Jenkins/Yumrepo[jenkins]/gpgkey: gpgkey changed
'' to 'http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key'
notice: /Stage[main]/Jenkins/Package[jenkins]/ensure: created
notice: Finished catalog run in 10.20 seconds

$ rpm -qa |grep jenkins
jenkins-1.461-1.1.noarch

That's what I meant. You shouldn't need to import the key as it should
check against the public key in the url (if you where installing via
rpm that might be different and will probably require the local import
- haven't tested myself).

Den

> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit

> https://groups.google.com/d/msg/puppet-users/-/cI79Jc80xg0J.

Michael Harris

unread,

Apr 26, 2012, 5:51:44 PM4/26/12

to puppet...@googlegroups.com

On Thursday, 26 April 2012 18:33:18 UTC+10, denmat wrote:

Hi, I just spun up a fresh AWS instance and did this:

$ cat puppet.repo.pp
class jenkins {

yumrepo { "jenkins":
baseurl => "http://pkg.jenkins-ci.org/redhat",
descr => "Jenkins",
enabled => 1,
gpgcheck => 1,
gpgkey => "http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key",
}
package {"jenkins": ensure => latest }
}

include jenkins

I appreciate your help, but with that manifest I get the same error on both the node I'm trying to install on and on a fresh CentOS 5.7 with Puppet 2.7.9.

err: /Stage[main]/Jenkins/Package[jenkins]/ensure: change from absent to latest failed: Could not update: Execution of '/usr/bin/yum -d 0 -e 0 -y install jenkins' returned 1: warning: rpmts_HdrFromFdno: Header V4 DSA signature: NOKEY, key ID d50582e6

Michael Harris

unread,

Apr 27, 2012, 12:33:15 AM4/27/12

to puppet...@googlegroups.com

The following manifest results in the jenkins and epel repos being installed, rpm -qa gpg-pub* shows the epel key but not the jenkins key, and git is installed but not jenkins.

class jenkins {

      yumrepo {"jenkins":
        baseurl  => "http://pkg.jenkins-ci.org/redhat",
        descr    => "Jenkins",
        enabled  => 1,
        gpgcheck => 1,
        gpgkey   => "http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key

",
      }
      package {"jenkins":
        ensure  => latest,
        require => Yumrepo["jenkins"]
      }
    }

    class git { 
      yumrepo {"epel":
        baseurl  => "http://mirror.aarnet.edu.au/pub/epel/5/i386",
        descr    => "Extra Packages for Enterprise Linux (EPEL)",
        enabled  => 1,
        gpgcheck => 1,
        gpgkey   => "http://keys.gnupg.net:11371/pks/lookup?search=0x217521F6&op=get",
      }
      package {"git":
        ensure  => latest,
        require => Yumrepo["epel"]
      }
    }

    include jenkins
    include git

denmat

unread,

Apr 27, 2012, 1:15:34 AM4/27/12

to puppet...@googlegroups.com

Well, the good news is you're not crazy :)

I loaded up a 5.7 instance and puppet 2.7.9+ and got the same result as you!

I did a yum update and got the same issue - so it is not a common
issue that is already fixed.

I did a manual rpm --import of the key and the subsequent yum install
worked. It is clearly an OS issue particular to Jenkins rather than a
'puppet' issue (as Puppet installed via yum and installed the key
automagically without an issue).

What I did notice is that a copy of the key jenkins pubkey doesn't get
installed into /etc/pki. But you can query it via rpm -qa gpg-pubkey*:
rpm -qi gpg-pubkey-d50582e6-4a3feef6

So, you could use this to install from scratch:
class jenkins {

exec { "key_import":
command => "/bin/rpm --import
http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key"
onlyif => 'a test for the existence of rpm -qi
gpg-pubkey-d50582e6-4a3feef6 doesn't exist'

}
yumrepo { "jenkins":
baseurl => "http://pkg.jenkins-ci.org/redhat",
descr => "Jenkins",
enabled => 1,
gpgcheck => 1,
gpgkey => "http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key",

require => Exec["key_import"],
}
package {"jenkins": ensure => latest, require => Yumrepo["jenkins"] }
}

include jenkins

Normally what happens is that if it is 'assumed yes', yum will
automatically accept the public key via the url - I don't know why
Jenkins is different - but it appears to install a new repo file and
try to import the pubkey again on install - maybe this confuses yum?
Just speculating - not going to investigate further :)

Cheers,
Den

> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit

> https://groups.google.com/d/msg/puppet-users/-/sVsibb6ExBsJ.

Michael Harris

unread,

Apr 29, 2012, 8:44:48 AM4/29/12

to puppet...@googlegroups.com

On Friday, 27 April 2012 15:15:34 UTC+10, denmat wrote:

Well, the good news is you're not crazy :)

At least, this isn't evidence that I'm crazy, but I still could be :)

Thanks for following up, and offering an alternative, I appreciate it.

R. Tyler Croy

unread,

Apr 30, 2012, 1:32:38 PM4/30/12

to puppet...@googlegroups.com

On Fri, 27 Apr 2012, denmat wrote:

> Well, the good news is you're not crazy :)
>
> I loaded up a 5.7 instance and puppet 2.7.9+ and got the same result as you!
>
> I did a yum update and got the same issue - so it is not a common
> issue that is already fixed.
>
> I did a manual rpm --import of the key and the subsequent yum install
> worked. It is clearly an OS issue particular to Jenkins rather than a
> 'puppet' issue (as Puppet installed via yum and installed the key
> automagically without an issue).
>
> What I did notice is that a copy of the key jenkins pubkey doesn't get
> installed into /etc/pki. But you can query it via rpm -qa gpg-pubkey*:
> rpm -qi gpg-pubkey-d50582e6-4a3feef6

Sounds like I should find a way to incorporate this workaround into my
puppet-jenkins module (https://github.com/rtyler/puppet-jenkins).

Glad you guys got this working regardless!

Cheers
- R. Tyler Croy
--------------------------------------
Code: http://github.com/rtyler
Chatter: http://twitter.com/agentdero
rty...@jabber.org

Dan Carley

unread,

May 23, 2012, 1:27:14 PM5/23/12

to puppet...@googlegroups.com

On 27 April 2012 06:15, denmat <tu2b...@gmail.com> wrote:

Normally what happens is that if it is 'assumed yes', yum will
automatically accept the public key via the url - I don't know why
Jenkins is different - but it appears to install a new repo file and
try to import the pubkey again on install - maybe this confuses yum?
Just speculating - not going to investigate further :)

The problem stems from Yum on EL5 not being able to parse user attributes within key. It can be worked around a bit more cleanly by removing the attribute from the public key. I've written a blog post with more details:

http://dan.carley.co/blog/2012/05/22/yum-gpg-keys-for-jenkins/

Denmat

unread,

May 23, 2012, 5:09:02 PM5/23/12

to puppet...@googlegroups.com

Well dug Dan :)

--

You received this message because you are subscribed to the Google Groups "Puppet Users" group.

Reply all

Reply to author

Forward