Add both GPG keys when installing repos on SLES #157
Conversation
We recently updated packages to be signed with the new GPG key (puppet-20250406), so for the time being install both the old and the new GPG key.
|
ping @ekohl @bastelfreak, can't add reviewers to the PR 😄 |
| on host, "wget -O /tmp/puppet-gpg-key http://yum.puppetlabs.com/RPM-GPG-KEY-puppet" | ||
| on host, "rpm --import /tmp/puppet-gpg-key" | ||
| %w[puppet puppet-20250406].each do |gpg_key| | ||
| on host, "wget -O /tmp/#{gpg_key} http://yum.puppetlabs.com/RPM-GPG-KEY-#{gpg_key}" |
There was a problem hiding this comment.
While you're at it: is this still the correct URL or is puppet.com preferred nowadays? I'd also consider fetching over HTTPS
There was a problem hiding this comment.
I think puppet.com is preferred, I'll update
| %w[puppet puppet-20250406].each do |gpg_key| | ||
| on host, "wget -O /tmp/#{gpg_key} http://yum.puppetlabs.com/RPM-GPG-KEY-#{gpg_key}" | ||
| on host, "rpm --import /tmp/#{gpg_key}" | ||
| on host, "rm -f /tmp/#{gpg_key}" |
There was a problem hiding this comment.
Normally I'd suggest to avoid the temporary file altogether by using rpm --import <(wget -O - $URL) but I don't know if it works here.
There was a problem hiding this comment.
Looks like this doesn't work as expected (tested on SLES 12):
tragic-yarn:~ # rpm --import <(wget -q -O - https://yum.puppet.com/RPM-GPG-KEY-puppet)
error: /dev/fd/63: import read failed(0).
There was a problem hiding this comment.
rpmkeys --import can take a URL directly on Fedora, but just gives import read failed(2) on openSUSE Tumbleweed for some reason, even though it's using the same version of rpm. 🤷♂️
|
I'll update and kick off a test pipeline to see if everything works properly, will let you know once it's done. |
|
@ekohl everything seems to be passing so this is good to merge. Thanks! |
We recently updated packages to be signed with the new GPG key (puppet-20250406), so for the time being install both the old and the new GPG key.