MT#60283 Fix puppetlabs repository situation with puppet.gpg key

In jenkins-configs commit 765cbf270df321c8c08d567a9803064696c78028
AKA "TT#62000 Add puppet key to Grml-sipwise image" we
included the puppetlabs upstream key into our deployment ISO.

Updating the file is error prone and requires quite some effort
(including changes to jenkins-configs!), whenever the file needs to be
adjusted.  In commit 8647b3d7b5 we went
for usage of http://apt.puppetlabs.com/DEB-GPG-KEY-puppetlabs, which is
the *expired* key though. :-/

| % gpg DEB-GPG-KEY-puppetlabs
| gpg: WARNING: no command supplied.  Trying to guess what you mean ...
| pub   rsa4096/1054B7A24BD6EC30 2010-07-10 [SC] [expired: 2017-01-05]
|       47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30
| uid                           Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>
|
| % md5sum DEB-GPG-KEY-puppetlabs
| 7b4ed31e1028f921b5c965df0a42e508  DEB-GPG-KEY-puppetlabs

So let's check for the expired key, and if present then retrieve the
*current* and proper repository key instead. But instead of using
upstream infra http://apt.puppetlabs.com/pubkey.gpg (which we don't have
under control on our own and might be unavailable during our
deployments), we placed a copy of the key on our own infrastructure:

| mprokop@jenkins1 ~www/files % wget --quiet -O puppetlabs-pubkey-2025.gpg http://apt.puppetlabs.com/pubkey.gpg
| mprokop@jenkins1 ~www/files % ls -lah puppetlabs-pubkey-2025.gpg
| -rw-r--r-- 1 mprokop sipwise 3.2K Apr  9 19:56 puppetlabs-pubkey-2025.gpg
| mprokop@jenkins1 ~www/files % gpg puppetlabs-pubkey-2025.gpg
| gpg: WARNING: no command supplied.  Trying to guess what you mean ...
| pub   rsa4096 2019-04-08 [SC]
|       D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26
| uid           Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
| sub   rsa4096 2019-04-08 [E]
| mprokop@jenkins1 ~www/files % md5sum puppetlabs-pubkey-2025.gpg
| d6368c2df370ff2093831daad16d9eeb  puppetlabs-pubkey-2025.gpg
| mprokop@jenkins1 ~www/files %

Given that the file puppet.gpg is also in the wrong format for direct
usage with apt-key with its gpg file extension, let's copy it as
puppet.asc then, as expected by apt.

FTR: this used to work in the past only, as in jenkins-config's
jobs/internal/grml/build_grml_image.sh we converted the key for usage as
puppet.gpg within apt, via:

| puppet_key='puppet.gpg'
| gpg --export --no-default-keyring --keyring /etc/apt/trusted.gpg \
|   --output "${puppet_key}" release@puppet.com

Change-Id: I7fe7dd20d89ed638112638930f578b6bb3783a5c

templates/scripts/includes/deployment.sh

@@ -2488,7 +2488,17 @@ EOF
   if [[ ! -f "${puppet_gpg}" ]]; then
     die "Can't find ${puppet_gpg} file"
   fi
-  cp "${puppet_gpg}" "${TARGET}/etc/apt/trusted.gpg.d/"
+
+  if echo "7b4ed31e1028f921b5c965df0a42e508  /root/puppet.gpg" | md5sum -c ; then
+    echo "Identified outdated puppetlabs key, fetching key (see MT#60283)"
+    wget https://deb.sipwise.com/files/puppetlabs-pubkey-2025.gpg -O "${TARGET}/etc/apt/trusted.gpg.d/puppet.asc"
+  elif echo "d6368c2df370ff2093831daad16d9eeb  /root/puppet.gpg" | md5sum -c ; then
+    echo "Puppetlabs key seems to be in 'Public-Key (old)' format, installing as puppet.asc"
+    cp "${puppet_gpg}" "${TARGET}/etc/apt/trusted.gpg.d/puppet.asc"
+  else
+    echo "Installing Puppetlabs key as puppet.gpg"
+    cp "${puppet_gpg}" "${TARGET}/etc/apt/trusted.gpg.d/"
+  fi
 
   grml-chroot "${TARGET}" apt-get update
   grml-chroot "${TARGET}" apt-get -y install puppet-agent openssh-server lsb-release ntpsec-ntpdate

wrapper.sh

@@ -69,7 +69,7 @@ echo "${repo_addr}" > "${outside_fai_config}files/SIPWISE/${source_list_path}"
 
 # get the puppet public key, so no need to download it in deployment.sh
 puppet_key='puppet.gpg'
-wget -O "${outside_fai_config}/files/PUPPETLABS/root/${puppet_key}" http://apt.puppetlabs.com/DEB-GPG-KEY-puppetlabs
+wget -O "${outside_fai_config}/files/PUPPETLABS/root/${puppet_key}" https://deb.sipwise.com/files/puppetlabs-pubkey-2025.gpg
 
 build_command=''
 build_command+=" cp -rv /grml/config/ /code/grml-live/"