From 3afd4c0e54cfef5a7226c1c440ede2b34ec42e11 Mon Sep 17 00:00:00 2001 From: Michael Prokop Date: Wed, 18 Jun 2025 23:46:54 +0200 Subject: [PATCH] MT#60283 Fix puppetlabs repository situation with puppet.gpg key In jenkins-configs commit 765cbf270df321c8c08d567a9803064696c78028 AKA "TT#62000 Add puppet key to Grml-sipwise image" we included the puppetlabs upstream key into our deployment ISO. Updating the file is error prone and requires quite some effort (including changes to jenkins-configs!), whenever the file needs to be adjusted. In commit 8647b3d7b501e9c79b7257a360e24eb33865f154 we went for usage of http://apt.puppetlabs.com/DEB-GPG-KEY-puppetlabs, which is the *expired* key though. :-/ | % gpg DEB-GPG-KEY-puppetlabs | gpg: WARNING: no command supplied. Trying to guess what you mean ... | pub rsa4096/1054B7A24BD6EC30 2010-07-10 [SC] [expired: 2017-01-05] | 47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30 | uid Puppet Labs Release Key (Puppet Labs Release Key) | | % md5sum DEB-GPG-KEY-puppetlabs | 7b4ed31e1028f921b5c965df0a42e508 DEB-GPG-KEY-puppetlabs So let's check for the expired key, and if present then retrieve the *current* and proper repository key instead. But instead of using upstream infra http://apt.puppetlabs.com/pubkey.gpg (which we don't have under control on our own and might be unavailable during our deployments), we placed a copy of the key on our own infrastructure: | mprokop@jenkins1 ~www/files % wget --quiet -O puppetlabs-pubkey-2025.gpg http://apt.puppetlabs.com/pubkey.gpg | mprokop@jenkins1 ~www/files % ls -lah puppetlabs-pubkey-2025.gpg | -rw-r--r-- 1 mprokop sipwise 3.2K Apr 9 19:56 puppetlabs-pubkey-2025.gpg | mprokop@jenkins1 ~www/files % gpg puppetlabs-pubkey-2025.gpg | gpg: WARNING: no command supplied. Trying to guess what you mean ... | pub rsa4096 2019-04-08 [SC] | D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26 | uid Puppet, Inc. Release Key (Puppet, Inc. Release Key) | sub rsa4096 2019-04-08 [E] | mprokop@jenkins1 ~www/files % md5sum puppetlabs-pubkey-2025.gpg | d6368c2df370ff2093831daad16d9eeb puppetlabs-pubkey-2025.gpg | mprokop@jenkins1 ~www/files % Given that the file puppet.gpg is also in the wrong format for direct usage with apt-key with its gpg file extension, let's copy it as puppet.asc then, as expected by apt. FTR: this used to work in the past only, as in jenkins-config's jobs/internal/grml/build_grml_image.sh we converted the key for usage as puppet.gpg within apt, via: | puppet_key='puppet.gpg' | gpg --export --no-default-keyring --keyring /etc/apt/trusted.gpg \ | --output "${puppet_key}" release@puppet.com Change-Id: I7fe7dd20d89ed638112638930f578b6bb3783a5c --- templates/scripts/includes/deployment.sh | 12 +++++++++++- wrapper.sh | 2 +- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/templates/scripts/includes/deployment.sh b/templates/scripts/includes/deployment.sh index d43e98e..f8fbf45 100755 --- a/templates/scripts/includes/deployment.sh +++ b/templates/scripts/includes/deployment.sh @@ -2488,7 +2488,17 @@ EOF if [[ ! -f "${puppet_gpg}" ]]; then die "Can't find ${puppet_gpg} file" fi - cp "${puppet_gpg}" "${TARGET}/etc/apt/trusted.gpg.d/" + + if echo "7b4ed31e1028f921b5c965df0a42e508 /root/puppet.gpg" | md5sum -c ; then + echo "Identified outdated puppetlabs key, fetching key (see MT#60283)" + wget https://deb.sipwise.com/files/puppetlabs-pubkey-2025.gpg -O "${TARGET}/etc/apt/trusted.gpg.d/puppet.asc" + elif echo "d6368c2df370ff2093831daad16d9eeb /root/puppet.gpg" | md5sum -c ; then + echo "Puppetlabs key seems to be in 'Public-Key (old)' format, installing as puppet.asc" + cp "${puppet_gpg}" "${TARGET}/etc/apt/trusted.gpg.d/puppet.asc" + else + echo "Installing Puppetlabs key as puppet.gpg" + cp "${puppet_gpg}" "${TARGET}/etc/apt/trusted.gpg.d/" + fi grml-chroot "${TARGET}" apt-get update grml-chroot "${TARGET}" apt-get -y install puppet-agent openssh-server lsb-release ntpsec-ntpdate diff --git a/wrapper.sh b/wrapper.sh index df471d6..dc70441 100755 --- a/wrapper.sh +++ b/wrapper.sh @@ -69,7 +69,7 @@ echo "${repo_addr}" > "${outside_fai_config}files/SIPWISE/${source_list_path}" # get the puppet public key, so no need to download it in deployment.sh puppet_key='puppet.gpg' -wget -O "${outside_fai_config}/files/PUPPETLABS/root/${puppet_key}" http://apt.puppetlabs.com/DEB-GPG-KEY-puppetlabs +wget -O "${outside_fai_config}/files/PUPPETLABS/root/${puppet_key}" https://deb.sipwise.com/files/puppetlabs-pubkey-2025.gpg build_command='' build_command+=" cp -rv /grml/config/ /code/grml-live/"