(RE-7976) Update to use the new GPG key

files/RPM-GPG-KEY-puppet

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFe2Iz4BEADqbv/nWmR26bsivTDOLqrfBEvRu9kSfDMzYh9Bmik1A8Z036Eg
+h5+TZD8Rrd5TErLQ6eZFmQXk9yKFoa9/C4aBjmsL/u0yeMmVb7/66i+x3eAYGLzV
+FyunArjtefZyxq0B2mdRHE8kwl5XGl8015T5RGHCTEhpX14O9yigI7gtliRoZcl3
+hfXtedcvweOf9VrV+t5LF4PrZejom8VcB5CE2pdQ+23KZD48+Cx/sHSLHDtahOTQ
+5HgwOLK7rBll8djFgIqP/UvhOqnZGIsg4MzTvWd/vwanocfY8BPwwodpX6rPUrD2
+aXPsaPeM3Q0juDnJT03c4i0jwCoYPg865sqBBrpOQyefxWD6UzGKYkZbaKeobrTB
+xUKUlaz5agSK12j4N+cqVuZUBAWcokXLRrcftt55B8jz/Mwhx8kl6Qtrnzco9tBG
+T5JN5vXMkETDjN/TqfB0D0OsLTYOp3jj4hpMpG377Q+6D71YuwfAsikfnpUtEBxe
+NixXuKAIqrgG8trfODV+yYYWzfdM2vuuYiZW9pGAdm8ao+JalDZss3HL7oVYXSJp
+MIjjhi78beuNflkdL76ACy81t2TvpxoPoUIG098kW3xd720oqQkyWJTgM+wV96bD
+ycmRgNQpvqHYKWtZIyZCTzKzTTIdqg/sbE/D8cHGmoy0eHUDshcE0EtxsQARAQAB
+tEhQdXBwZXQsIEluYy4gUmVsZWFzZSBLZXkgKFB1cHBldCwgSW5jLiBSZWxlYXNl
+IEtleSkgPHJlbGVhc2VAcHVwcGV0LmNvbT6JAj4EEwECACgFAle2Iz4CGwMFCQlm
+AYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEH9DgoDvjTSfIN0P/jcCRzK8
+WIdhcNz5dkj7xRZb8Oft2yDfenQmzb1SwGGa96IwJFcjF4Nq7ymcDUqunS2DEDb2
+gCucsqmW1ubkaggsYbc9voz/SQwhsQpBjfWbuyOX9DWmW6av/aB1F85wP79gyfqT
+uidTGxQE6EhDbLe7tuvxOHfM1bKsUtI+0n9TALLLHfXUEdtaXCwMlJuO1IIn1PWa
+H7HzyEjw6OW/cy73oM9nuErBIio1O60slPLOW2XNhdWZJCRWkcXyuumRjoepz7WN
+1JgsLOTcB7rcQaBP3pDN0O/Om5dlDQ6oYitoJs/F0gfEgwK68Uy8k8sUR+FLLJqM
+o0CwOg6CeWU4ShAEd1xZxVYW6VOOKlz9x9dvjIVDn2SlTBDmLS99ySlQS57rjGPf
+GwlRUnuZP4OeSuoFNNJNb9PO6XFSP66eNHFbEpIoBU7phBzwWpTXNsW+kAcY8Rno
+8GzKR/2FRsxe5Nhfh8xy88U7BA0tqxWdqpk/ym+wDcgHBfSRt0dPFnbaHAiMRlgX
+J/NPHBQtkoEdQTKA+ICxcNTUMvsPDQgZcU1/ViLMN+6kZaGNDVcPeMgDvqxu0e/T
+b3uYiId38HYbHmD6rDrOQL/2VPPXbdGbxDGQUgX1DfdOuFXw1hSTilwI1KdXxUXD
+sCsZbchgliqGcI1l2En62+6pI2x5XQqqiJ7+
+=HpaX
+-----END PGP PUBLIC KEY BLOCK-----

manifests/osfamily/debian.pp

@@ -77,12 +77,16 @@
     }
   }
 
+  apt::key { 'legacy key':
+    id     => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
+    server => 'pgp.mit.edu',
+  }
 
   apt::source { 'pc_repo':
     location => $source,
     repos    => $::puppet_agent::collection,
     key      => {
-      'id'     => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
+      'id'     => '6F6B15509CF8E59E6E469F327F438280EF8D349F',
       'server' => 'pgp.mit.edu',
     },
     notify   => Notify['pc_repo_force'],

manifests/osfamily/redhat.pp

@@ -43,13 +43,34 @@
     }
   }
 
-  $keyname = 'RPM-GPG-KEY-puppetlabs'
+  $legacy_keyname = 'RPM-GPG-KEY-puppetlabs'
+  $legacy_gpg_path = "/etc/pki/rpm-gpg/${legacy_keyname}"
+  $keyname = 'RPM-GPG-KEY-puppet'
   $gpg_path = "/etc/pki/rpm-gpg/${keyname}"
+  $gpg_keys = "file://${legacy_gpg_path}
+  file://${gpg_path}"
 
   file { ['/etc/pki', '/etc/pki/rpm-gpg']:
     ensure => directory,
   }
 
+  file { $legacy_gpg_path:
+    ensure => present,
+    owner  => 0,
+    group  => 0,
+    mode   => '0644',
+    source => "puppet:///modules/puppet_agent/${legacy_keyname}",
+  }
+
+  # Given the path to a key, see if it is imported, if not, import it
+  exec {  "import-${legacy_keyname}":
+    path      => '/bin:/usr/bin:/sbin:/usr/sbin',
+    command   => "rpm --import ${legacy_gpg_path}",
+    unless    => "rpm -q gpg-pubkey-`echo $(gpg --throw-keyids < ${legacy_gpg_path}) | cut --characters=11-18 | tr [A-Z] [a-z]`",
+    require   => File[$legacy_gpg_path],
+    logoutput => 'on_failure',
+  }
+
   file { $gpg_path:
     ensure => present,
     owner  => 0,
@@ -72,7 +93,7 @@
     descr         => "Puppet Labs ${::puppet_agent::collection} Repository",
     enabled       => true,
     gpgcheck      => '1',
-    gpgkey        => "file://${gpg_path}",
+    gpgkey        => "${gpg_keys}",
     sslcacert     => $_sslcacert_path,
     sslclientcert => $_sslclientcert_path,
     sslclientkey  => $_sslclientkey_path,

manifests/osfamily/suse.pp

@@ -16,9 +16,11 @@
     }
     '11', '12': {
       # Import the GPG key
-      $keyname     = 'RPM-GPG-KEY-puppetlabs'
-      $gpg_path    = "/etc/pki/rpm-gpg/${keyname}"
-      $gpg_homedir = '/root/.gnupg'
+      $legacy_keyname  = 'RPM-GPG-KEY-puppetlabs'
+      $legacy_gpg_path = "/etc/pki/rpm-gpg/${legacy_keyname}"
+      $keyname         = 'RPM-GPG-KEY-puppet'
+      $gpg_path        = "/etc/pki/rpm-gpg/${keyname}"
+      $gpg_homedir     = '/root/.gnupg'
 
       file { ['/etc/pki', '/etc/pki/rpm-gpg']:
         ensure => directory,
@@ -32,17 +34,34 @@
         source => "puppet:///modules/puppet_agent/${keyname}",
       }
 
+      file { $legacy_gpg_path:
+        ensure => present,
+        owner  => 0,
+        group  => 0,
+        mode   => '0644',
+        source => "puppet:///modules/puppet_agent/${legacy_keyname}",
+      }
+
       # Given the path to a key, see if it is imported, if not, import it
+      $legacy_gpg_pubkey = "gpg-pubkey-$(echo $(gpg --homedir ${gpg_homedir} --throw-keyids < ${legacy_gpg_path})"
       $gpg_pubkey = "gpg-pubkey-$(echo $(gpg --homedir ${gpg_homedir} --throw-keyids < ${gpg_path})"
-      exec {  "import-${keyname}":
+
+      exec { "import-${legacy_keyname}":
+        path      => '/bin:/usr/bin:/sbin:/usr/sbin',
+        command   => "rpm --import ${legacy_gpg_path}",
+        unless    => "rpm -q ${legacy_gpg_pubkey} | cut --characters=11-18 | tr [A-Z] [a-z])",
+        require   => File[$legacy_gpg_path],
+        logoutput => 'on_failure',
+      }
+
+      exec { "import-${keyname}":
         path      => '/bin:/usr/bin:/sbin:/usr/sbin',
         command   => "rpm --import ${gpg_path}",
         unless    => "rpm -q ${gpg_pubkey} | cut --characters=11-18 | tr [A-Z] [a-z])",
         require   => File[$gpg_path],
         logoutput => 'on_failure',
       }
 
-
       # Set up a zypper repository by creating a .repo file which mimics a ini file
       $pe_server_version = pe_build_version()
       $source = "${::puppet_agent::source}/${pe_server_version}/${::platform_tag}"

spec/classes/puppet_agent_osfamily_debian_spec.rb

@@ -85,11 +85,16 @@
       'content'  => apt_settings.join(''),
     }) }
 
+    it { is_expected.to contain_apt__key('legacy key').with({
+      'id'     => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
+      'server' => 'pgp.mit.edu',
+    }) }
+
     it { is_expected.to contain_apt__source('pc_repo').with({
       'location' => 'https://master.example.vm:8140/packages/4.0.0/debian-7-x86_64',
       'repos'    => 'PC1',
       'key'      => {
-        'id'     => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
+        'id'     => '6F6B15509CF8E59E6E469F327F438280EF8D349F',
         'server' => 'pgp.mit.edu',
       },
     }) }
@@ -102,11 +107,16 @@
     it { is_expected.not_to contain_apt__setting('conf-pe-repo') }
     it { is_expected.not_to contain_apt__setting('list-puppet-enterprise-installer') }
 
+    it { is_expected.to contain_apt__key('legacy key').with({
+      'id'     => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
+      'server' => 'pgp.mit.edu',
+    }) }
+
     it { is_expected.to contain_apt__source('pc_repo').with({
       'location' => 'http://apt.puppetlabs.com',
       'repos'    => 'PC1',
       'key'      => {
-        'id'     => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
+        'id'     => '6F6B15509CF8E59E6E469F327F438280EF8D349F',
         'server' => 'pgp.mit.edu',
       },
     }) }

spec/classes/puppet_agent_osfamily_redhat_spec.rb

@@ -28,6 +28,14 @@
         'logoutput' => 'on_failure',
       }) }
 
+      it { is_expected.to contain_exec('import-RPM-GPG-KEY-puppet').with({
+        'path'      => '/bin:/usr/bin:/sbin:/usr/sbin',
+        'command'   => 'rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet',
+        'unless'    => 'rpm -q gpg-pubkey-`echo $(gpg --throw-keyids < /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet) | cut --characters=11-18 | tr [A-Z] [a-z]`',
+        'require'   => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet]',
+        'logoutput' => 'on_failure',
+      }) }
+
       ['/etc/pki', '/etc/pki/rpm-gpg'].each do |path|
         it { is_expected.to contain_file(path).with({
           'ensure' => 'directory',
@@ -42,13 +50,22 @@
         'source' => 'puppet:///modules/puppet_agent/RPM-GPG-KEY-puppetlabs',
       }) }
 
+      it { is_expected.to contain_file('/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet').with({
+        'ensure' => 'present',
+        'owner'  => '0',
+        'group'  => '0',
+        'mode'   => '0644',
+        'source' => 'puppet:///modules/puppet_agent/RPM-GPG-KEY-puppet',
+      }) }
+
+
       context 'when FOSS' do
         it { is_expected.not_to contain_yumrepo('puppetlabs-pepackages').with_ensure('absent') }
         it { is_expected.to contain_yumrepo('pc_repo').with({
           'baseurl' => "https://yum.puppetlabs.com/#{urlbit}/PC1/x64",
           'enabled' => 'true',
             'gpgcheck' => '1',
-            'gpgkey' => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs',
+            'gpgkey' => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs\n  file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet",
         }) }
 
         it { is_expected.to contain_class("puppet_agent::osfamily::redhat") }
@@ -87,7 +104,7 @@
         'baseurl' => "https://master.example.vm:8140/packages/4.0.0/#{repodir}",
         'enabled' => 'true',
         'gpgcheck' => '1',
-        'gpgkey' => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs',
+        'gpgkey' => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs\n  file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet",
         'sslcacert' => '/etc/puppetlabs/puppet/ssl/certs/ca.pem',
         'sslclientcert' => '/etc/puppetlabs/puppet/ssl/certs/foo.example.vm.pem',
         'sslclientkey' => '/etc/puppetlabs/puppet/ssl/private_keys/foo.example.vm.pem',

spec/classes/puppet_agent_osfamily_suse_spec.rb

@@ -170,6 +170,14 @@
             'source' => 'puppet:///modules/puppet_agent/RPM-GPG-KEY-puppetlabs',
           }) }
 
+          it { is_expected.to contain_file('/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet').with({
+            'ensure' => 'present',
+            'owner'  => '0',
+            'group'  => '0',
+            'mode'   => '0644',
+            'source' => 'puppet:///modules/puppet_agent/RPM-GPG-KEY-puppet',
+          }) }
+
           {
             'name'        => 'pc_repo',
             'enabled'      => '1',