(MODULES-10897) Add new GPG signing key and remove the old one

puppetlabs · Jan 11, 2021 · 4ac5ea6 · 4ac5ea6
1 parent f92f69a
commit 4ac5ea6
Show file tree

Hide file tree

Showing 9 changed files with 94 additions and 119 deletions.
diff --git a/files/GPG-KEY-puppet-20250406 b/files/GPG-KEY-puppet-20250406
@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFyrv4oBEADhL8iyDPZ+GWN7L+A8dpEpggglxTtL7qYNyN5Uga2j0cusDdOD
+ftPHsurLjfxtc2EFGdFK/N8y4LSpq+nOeazhkHcPeDiWC2AuN7+NGjH9LtvMUqKy
+NWPhPYP2r/xPL547oDMdvLXDH5n+FsLFW8QgATHk4AvlIhGng0gWu80OqTCiL0HC
+W7TftkF8ofP8k90SnLYbI9HDVOj6VYYtqG5NeoCHGAqrb79G/jq64Z/gLktD3IrB
+CxYhKFfJtZ/BSDB8Aa4ht+jIyeFCNSbGyfFfWlHKvF3JngS/76Y7gxX1sbR3gHJQ
+hO25AQdsPYKxgtIgNeB9/oBp1+V3K1W/nta4gbDVwJWCqDRbEFlHIdV7fvV/sqiI
+W7rQ60aAY7J6Gjt/aUmNArvT8ty3szmhR0wEEU5/hhIVV6VjS+AQsI8pFv6VB8bJ
+TLfOBPDW7dw2PgyWhVTEN8KW/ckyBvGmSdzSgAhw+rAe7li50/9e2H8eiJgBbGid
+8EQidZgkokh331CMDkIA6F3ygiB+u2ZZ7ywxhxIRO70JElIuIOiofhVfRnh/ODlH
+X7eD+cA2rlLQd2yWf4diiA7C9R8r8vPrAdp3aPZ4xLxvYYZV8E1JBdMus5GRy4rB
+Avetp0Wx/1r9zVDKD/J1bNIlt0SR9FTmynZj4kLWhoCqmbrLS35325sS6wARAQAB
+tEhQdXBwZXQsIEluYy4gUmVsZWFzZSBLZXkgKFB1cHBldCwgSW5jLiBSZWxlYXNl
+IEtleSkgPHJlbGVhc2VAcHVwcGV0LmNvbT6JAlQEEwEKAD4WIQTWgR7Tre64RBr1
+qo9FKLbNnmHvJgUCXKu/igIbAwUJC0c1AAULCQgHAwUVCgkICwUWAgMBAAIeAQIX
+gAAKCRBFKLbNnmHvJg/vD/0eOl/pBb6ooGnzg2qoD+XwgOK3HkTdvGNZKGsIrhUG
+q6O0zoyPW8v9b/i7QEDre8QahARmMAEQ+T3nbNVzw4kpE+YIrEkKjoJsrF8/K/1L
+zBHJCc3S9oF9KubG5BuQ4bAmcvnI+qpEYbSTLHztYGUfXAGu+MnaDf4C60G7zM6m
+ec4bX8lVnt+gcsGGGCdN89XsZLBNdv21z9xMeaAPiRYJpbqwrb8cYbKQeqFSQt2M
+UylN5oVeN77Q8iyXSyVwpc6uKzXdQ8bVPbKUTWSXQ4SSp0HJjtAMiDH2pjty4PG6
+EgZ6/njJLOzQ29ZgFrS19XLONlptHwKzLYB8nJhJvGHfzzInmNttDtNwTA6IxpsR
+4aCnrPWFJRCbmMBNXvBR9B/O+e/T5ngL21ipMEwzEOiQlRSacnO2pICwZ5pARMRI
+dxq/5BQYry9HNlJDGR7YIfn7i0oCGk5BxwotSlAPw8jFpNU/zTOvpQAdPvZje2JP
+6GS+hYxSdHsigREXI2gxTvpcLk8LOe9PsqJv631e6Kvn9P9OHiihIp8G9fRQ8T7y
+elHcNanV192mfbWxJhDAcQ+JEy9883lOanaCoaf/7z4kdmCQLz5/oNg2K0qjSgZH
+JY/gxCOwuAuUJlLcAXQG6txJshfMxyQUO46DXg0/gjwkKgT/9PbTJEN/WN/G6n1h
+lbkCDQRcq7+KARAAxX5WS3Qx0eHFkpxSecR2bVMh5NId/v5Ch0sXWTWp44I38L9V
+o+nfbI+o8wN5IdFtvhmQUXCUPfacegFVVyerxSuLb0YibhNL1/3xwD5aDMYSN5ud
+x1wJTN1Ymi1zWwDN0PMx3asJ2z31fK4LOHOP4gRvWfrJjYlkMD5ufmxK7bYWh80z
+IEHJkNJKGbGcBB8MxJFP1dX85vwATY7N7jbpBQ0z6rLazfFyqmo8E3u5PvPQvJ06
+qMWF1g+tTqqJSIT6kdqbznuWNGFpI0iO+k4eYAGcOS2L8v5/Au163BldDGHxTnnl
+h42MWTyx7v0UBHKvI+WSC2rQq0x7a2WyswQ9lpqGbvShUSyR8/z6c0XEasDhhB3X
+AQcsIH5ndKzS7GnQMVNjgFCyzr/7+TMBXJdJS3XyC3oi5yTX5qwt3RkZN1DXozkk
+eHxzow5eE7cSHFFYboxFCcWmZNeHL/wQJms0pW2UL2crmXhVtj5RsG9fxh0nQnxm
+zrMbn+PxQaW8Xh+Z5HWQ65PSt7dg8k4Y+pGD115/kG1U2PltlcoOLUwHLp24ptaa
+Chj1tNg/VSWpMCaXeDmrk5xiZIRHe/P1p18+iTOQ2GXP4MBmfDwX9lHfQxTht/qB
++ikBy4bVqJmMDew4QAmHgPhRXzRwTH4lIMoYGPX3+TAGovdy5IZjaQtvahcAEQEA
+AYkCPAQYAQoAJhYhBNaBHtOt7rhEGvWqj0Uots2eYe8mBQJcq7+KAhsMBQkLRzUA
+AAoJEEUots2eYe8m/ggQAMWoPyvNCEs1HTVpOOyLsEbQhLvCcjRjJxHKGg9z8nIW
+pFSPXjlThnRR3UwIQHVgf+5OYMvIvaQ5yLWLMP1QdN/wZLKHLaKv6QxgXdLmr3F5
+9qhoV3NbBvgkFlzvJrHYH75sJglX60W7QysXxYinlsPhQeTWjca5/VjUTOgGhLDM
+Q/UCClcPA0Q12Q7U/eomYnmFDJdxPH6U9ZA6UQTdLWVCvK1chL3Fj1eq/11d/0S/
+7CQvZObYRKX1kkaJAwSt7C6iq8nvrCWVVuxaXRqI/6Qi4Z6CSNB+2tk2W66J52Wm
+PaodvnLlu+im3qtTWLLa3R+ZFRwNK9xPIR+XbA/HggOkG/JeAZYgB8shIVhuPdQc
+zZi2hHIVUTPvhnxNgeioia2Zu++2WKpf6LEGNlwADFOVedfea0am23ImV2YOhEHz
+hSvhdhiM3W8XtK3ZQbyUiumAXQrMhamoaHytdQUMEU/nmaLygKPHjUNixsliknU6
+jxFIQStHSuF3b2hdM3W+Cw8ziUInpz5Dgw9uV0G3h/FGv0tjjgmbyTdUIjbQNUxk
+pzA2H6IBEMaVTdNuGEqPU+xySSoOSU3eg3Hey4hR1CZln5cky0bwZRziCQYmfpn1
+KE7aoxDPbBBJ0Y3k/i8CfnPiaBeWY+3o63Z9IeICg17nNva8OYpQnUVXXHhkJIc0
+=u0aK
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/files/GPG-KEY-puppetlabs b/files/GPG-KEY-puppetlabs
diff --git a/manifests/osfamily/debian.pp b/manifests/osfamily/debian.pp
@@ -72,9 +72,9 @@
       } else {
         $source = $::puppet_agent::apt_source
       }
-      $legacy_keyname = 'GPG-KEY-puppetlabs'
+      $legacy_keyname = 'GPG-KEY-puppet'
       $legacy_gpg_path = "/etc/pki/deb-gpg/${legacy_keyname}"
-      $keyname = 'GPG-KEY-puppet'
+      $keyname = 'GPG-KEY-puppet-20250406'
       $gpg_path = "/etc/pki/deb-gpg/${keyname}"
 
       if getvar('::puppet_agent::manage_pki_dir') == true {
@@ -92,7 +92,7 @@
       }
 
       apt::key { 'legacy key':
-        id     => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
+        id     => '6F6B15509CF8E59E6E469F327F438280EF8D349F',
         source => $legacy_gpg_path,
       }
 
@@ -108,7 +108,7 @@
         location => $source,
         repos    => $::puppet_agent::collection,
         key      => {
-          'id'     => '6F6B15509CF8E59E6E469F327F438280EF8D349F',
+          'id'     => 'D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26',
           'source' => $gpg_path,
         },
         notify   => Exec['pc_repo_force'],

diff --git a/manifests/osfamily/redhat.pp b/manifests/osfamily/redhat.pp
@@ -82,9 +82,9 @@
       $gpg_cmd = 'gpg'
     }
 
-    $legacy_keyname = 'GPG-KEY-puppetlabs'
+    $legacy_keyname = 'GPG-KEY-puppet'
     $legacy_gpg_path = "/etc/pki/rpm-gpg/RPM-${legacy_keyname}"
-    $keyname = 'GPG-KEY-puppet'
+    $keyname = 'GPG-KEY-puppet-20250406'
     $gpg_path = "/etc/pki/rpm-gpg/RPM-${keyname}"
     $gpg_keys = "file://${legacy_gpg_path}
   file://${gpg_path}"

diff --git a/manifests/osfamily/suse.pp b/manifests/osfamily/suse.pp
@@ -35,9 +35,9 @@
     case $::operatingsystemmajrelease {
       '11', '12', '15': {
         # Import the GPG key
-        $legacy_keyname  = 'GPG-KEY-puppetlabs'
+        $legacy_keyname  = 'GPG-KEY-puppet'
         $legacy_gpg_path = "/etc/pki/rpm-gpg/RPM-${legacy_keyname}"
-        $keyname         = 'GPG-KEY-puppet'
+        $keyname         = 'GPG-KEY-puppet-20250406'
         $gpg_path        = "/etc/pki/rpm-gpg/RPM-${keyname}"
         $gpg_homedir     = '/root/.gnupg'
 

diff --git a/spec/classes/puppet_agent_osfamily_debian_spec.rb b/spec/classes/puppet_agent_osfamily_debian_spec.rb
@@ -157,12 +157,12 @@
         'content'  => apt_settings.join(''),
       }) }
 
-      it { is_expected.to contain_file('/etc/pki/deb-gpg/GPG-KEY-puppetlabs').with({
+      it { is_expected.to contain_file('/etc/pki/deb-gpg/GPG-KEY-puppet-20250406').with({
         'ensure' => 'present',
         'owner'  => '0',
         'group'  => '0',
         'mode'   => '0644',
-        'source' => 'puppet:///modules/puppet_agent/GPG-KEY-puppetlabs',
+        'source' => 'puppet:///modules/puppet_agent/GPG-KEY-puppet-20250406',
       }) }
 
       it { is_expected.to contain_file('/etc/pki/deb-gpg/GPG-KEY-puppet').with({
@@ -174,16 +174,16 @@
       }) }
 
       it { is_expected.to contain_apt__key('legacy key').with({
-        'id'     => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
-        'source' => '/etc/pki/deb-gpg/GPG-KEY-puppetlabs',
+        'id'     => '6F6B15509CF8E59E6E469F327F438280EF8D349F',
+        'source' => '/etc/pki/deb-gpg/GPG-KEY-puppet',
       }) }
 
       it { is_expected.to contain_apt__source('pc_repo').with({
         'location' => 'https://master.example.vm:8140/packages/2000.0.0/debian-7-x86_64',
         'repos'    => 'PC1',
         'key'      => {
-          'id'     => '6F6B15509CF8E59E6E469F327F438280EF8D349F',
-          'source' => '/etc/pki/deb-gpg/GPG-KEY-puppet',
+          'id'     => 'D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26',
+          'source' => '/etc/pki/deb-gpg/GPG-KEY-puppet-20250406',
         },
       }) }
     end
@@ -201,8 +201,8 @@
         'location' => 'https://fake-apt-mirror.com/packages/2000.0.0/debian-7-x86_64',
         'repos'    => 'PC1',
         'key'      => {
-          'id'     => '6F6B15509CF8E59E6E469F327F438280EF8D349F',
-          'source' => '/etc/pki/deb-gpg/GPG-KEY-puppet',
+          'id'     => 'D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26',
+          'source' => '/etc/pki/deb-gpg/GPG-KEY-puppet-20250406',
         },
       }) }
     end
@@ -239,16 +239,16 @@
       }
 
       it { is_expected.to contain_apt__key('legacy key').with({
-        'id'     => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
-        'source' => '/etc/pki/deb-gpg/GPG-KEY-puppetlabs',
+        'id'     => '6F6B15509CF8E59E6E469F327F438280EF8D349F',
+        'source' => '/etc/pki/deb-gpg/GPG-KEY-puppet',
       }) }
 
       it { is_expected.to contain_apt__source('pc_repo').with({
         'location' => 'https://apt.puppet.com',
         'repos'    => 'puppet5',
         'key'      => {
-          'id'     => '6F6B15509CF8E59E6E469F327F438280EF8D349F',
-          'source' => '/etc/pki/deb-gpg/GPG-KEY-puppet',
+          'id'     => 'D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26',
+          'source' => '/etc/pki/deb-gpg/GPG-KEY-puppet-20250406',
         },
       }) }
     end
@@ -267,8 +267,8 @@
         'location' => 'https://fake-apt-mirror.com/',
         'repos'    => 'puppet5',
         'key'      => {
-          'id'     => '6F6B15509CF8E59E6E469F327F438280EF8D349F',
-          'source' => '/etc/pki/deb-gpg/GPG-KEY-puppet',
+          'id'     => 'D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26',
+          'source' => '/etc/pki/deb-gpg/GPG-KEY-puppet-20250406',
         },
       }) }
     end

diff --git a/spec/classes/puppet_agent_osfamily_redhat_spec.rb b/spec/classes/puppet_agent_osfamily_redhat_spec.rb
@@ -25,11 +25,11 @@
       end
 
       if os == 'Fedora' then
-        it { is_expected.to contain_exec('import-GPG-KEY-puppetlabs').with({
+        it { is_expected.to contain_exec('import-GPG-KEY-puppet-20250406').with({
           'path'      => '/bin:/usr/bin:/sbin:/usr/sbin',
-          'command'   => 'rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs',
-          'unless'    => "rpm -q gpg-pubkey-$(echo $(gpg2 --with-colons /etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs 2>&1 | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr '[:upper:]' '[:lower:]'))",
-          'require'   => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs]',
+          'command'   => 'rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406',
+          'unless'    => "rpm -q gpg-pubkey-$(echo $(gpg2 --with-colons /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406 2>&1 | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr '[:upper:]' '[:lower:]'))",
+          'require'   => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406]',
           'logoutput' => 'on_failure',
         }) }
 
@@ -41,11 +41,11 @@
           'logoutput' => 'on_failure',
         }) }
       else
-        it { is_expected.to contain_exec('import-GPG-KEY-puppetlabs').with({
+        it { is_expected.to contain_exec('import-GPG-KEY-puppet-20250406').with({
           'path'      => '/bin:/usr/bin:/sbin:/usr/sbin',
-          'command'   => 'rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs',
-          'unless'    => "rpm -q gpg-pubkey-$(echo $(gpg --with-colons /etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs 2>&1 | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr '[:upper:]' '[:lower:]'))",
-          'require'   => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs]',
+          'command'   => 'rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406',
+          'unless'    => "rpm -q gpg-pubkey-$(echo $(gpg --with-colons /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406 2>&1 | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr '[:upper:]' '[:lower:]'))",
+          'require'   => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406]',
           'logoutput' => 'on_failure',
         }) }
 
@@ -73,12 +73,12 @@
         end
       end
 
-      it { is_expected.to contain_file('/etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs').with({
+      it { is_expected.to contain_file('/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406').with({
         'ensure' => 'present',
         'owner'  => '0',
         'group'  => '0',
         'mode'   => '0644',
-        'source' => 'puppet:///modules/puppet_agent/GPG-KEY-puppetlabs',
+        'source' => 'puppet:///modules/puppet_agent/GPG-KEY-puppet-20250406',
       }) }
 
       it { is_expected.to contain_file('/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet').with({
@@ -114,7 +114,7 @@
           'baseurl' => "http://yum.puppet.com/puppet5/#{urlbit.gsub('/f','/')}/x64",
           'enabled' => 'true',
             'gpgcheck' => '1',
-            'gpgkey' => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs\n  file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet",
+            'gpgkey' => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet\n  file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406",
         }) }
       end
 
@@ -179,7 +179,7 @@
           'baseurl' => "https://master.example.vm:8140/packages/2000.0.0/#{repodir}",
           'enabled' => 'true',
           'gpgcheck' => '1',
-          'gpgkey' => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs\n  file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet",
+          'gpgkey' => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet\n  file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406",
           'sslcacert' => '/etc/puppetlabs/puppet/ssl/certs/ca.pem',
           'sslclientcert' => '/etc/puppetlabs/puppet/ssl/certs/foo.example.vm.pem',
           'sslclientkey' => '/etc/puppetlabs/puppet/ssl/private_keys/foo.example.vm.pem',

diff --git a/spec/classes/puppet_agent_osfamily_suse_spec.rb b/spec/classes/puppet_agent_osfamily_suse_spec.rb
@@ -60,11 +60,11 @@
             'logoutput' => 'on_failure',
           }) }
 
-          it { is_expected.to contain_exec('import-GPG-KEY-puppetlabs').with({
+          it { is_expected.to contain_exec('import-GPG-KEY-puppet-20250406').with({
             'path'      => '/bin:/usr/bin:/sbin:/usr/sbin',
-            'command'   => 'rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs',
-            'unless'    => "rpm -q gpg-pubkey-$(echo $(gpg --homedir /root/.gnupg --with-colons /etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs 2>&1 | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr '[:upper:]' '[:lower:]'))",
-            'require'   => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs]',
+            'command'   => 'rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406',
+            'unless'    => "rpm -q gpg-pubkey-$(echo $(gpg --homedir /root/.gnupg --with-colons /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406 2>&1 | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr '[:upper:]' '[:lower:]'))",
+            'require'   => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406]',
             'logoutput' => 'on_failure',
           }) }
 
@@ -85,12 +85,12 @@
 
           it { is_expected.to contain_class("puppet_agent::osfamily::suse") }
 
-          it { is_expected.to contain_file('/etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs').with({
+          it { is_expected.to contain_file('/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406').with({
             'ensure' => 'present',
             'owner'  => '0',
             'group'  => '0',
             'mode'   => '0644',
-            'source' => 'puppet:///modules/puppet_agent/GPG-KEY-puppetlabs',
+            'source' => 'puppet:///modules/puppet_agent/GPG-KEY-puppet-20250406',
           }) }
 
           it { is_expected.to contain_file('/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet').with({

diff --git a/tasks/install_shell.sh b/tasks/install_shell.sh
@@ -513,8 +513,8 @@ info "Downloading Puppet $version for ${platform}..."
 case $platform in
   "SLES")
     info "SLES platform! Lets get you an RPM..."
-    gpg_key="${tmp_dir}/RPM-GPG-KEY-puppet"
-    do_download "https://yum.puppet.com/RPM-GPG-KEY-puppet" "$gpg_key"
+    gpg_key="${tmp_dir}/RPM-GPG-KEY-puppet-20250406"
+    do_download "https://yum.puppet.com/GPG-KEY-puppet-20250406" "$gpg_key"
     rpm --import "$gpg_key"
     rm -f "$gpg_key"
     filetype="noarch.rpm"