Skip to content

Expired GPG Key for Puppet 8 Repository #9550

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
CommitThisLater opened this issue Apr 8, 2025 · 9 comments
Open

Expired GPG Key for Puppet 8 Repository #9550

CommitThisLater opened this issue Apr 8, 2025 · 9 comments

Comments

@CommitThisLater
Copy link

I’m currently encountering an issue with the Puppet 8 repository where the GPG keys for package verification have expired. Specifically, the following keys are expired:

root@test:# wget https://apt.puppet.com/puppet8-release-jammy.deb
root@test:# dpkg-deb -x puppet8-release-jammy.deb /tmp/package-extracted
root@test:~# apt-key add /tmp/package-extracted/etc/apt/trusted.gpg.d/puppet8-keyring.gpg

pub rsa4096 2019-04-08 [SC] [expired: 2025-04-06]
D681 1ED3 ADEE B844 1AF5 AA8F 4528 B6CD 9E61 EF26
uid [ expired] Puppet, Inc. Release Key (Puppet, Inc. Release Key) [email protected]
@swer21
Copy link

swer21 commented Apr 8, 2025
edited
Loading

I have the same issue with Puppet 7 Repository.

cat /etc/apt/sources.list.d/puppet7-release.list
# Puppet 7 noble Repository
deb http://apt.puppet.com noble puppet7

apt update
Hit:1 http://archive.ubuntu.com/ubuntu noble InRelease
Hit:2 http://archive.ubuntu.com/ubuntu noble-updates InRelease
Hit:3 http://security.ubuntu.com/ubuntu noble-security InRelease
Hit:4 http://archive.ubuntu.com/ubuntu noble-backports InRelease
Hit:5 http://packages.mozilla.org/apt mozilla InRelease
Get:6 http://apt.puppet.com noble InRelease [56.1 kB]
Err:6 http://apt.puppet.com noble InRelease
  The following signatures were invalid: EXPKEYSIG 4528B6CD9E61EF26 Puppet, Inc. Release Key (Puppet, Inc. Release Key) <[email protected]>
Reading package lists...

apt-key list
/etc/apt/trusted.gpg.d/mozilla.gpg
----------------------------------
pub   rsa2048 2021-05-04 [SC]
      35BA A0B3 3E9E B396 F59C  A838 C0BA 5CE6 DC63 15A3
uid           [ unknown] Artifact Registry Repository Signer <[email protected]>

/etc/apt/trusted.gpg.d/puppet7-keyring.gpg
------------------------------------------
pub   rsa4096 2013-02-06 [SC] [expired: 2019-02-11]
      8735 F5AF 62A9 9A62 8EC1  3377 B8F9 99C0 07BB 6C57
uid           [ expired] Puppet Labs Nightly Build Key (Puppet Labs Nightly Build Key) <[email protected]>
uid           [ expired] Puppet Labs Nightly Build Key (Puppet Labs Nightly Build Key) <[email protected]>

pub   rsa4096 2016-08-18 [SC] [expired: 2021-08-17]
      6F6B 1550 9CF8 E59E 6E46  9F32 7F43 8280 EF8D 349F
uid           [ expired] Puppet, Inc. Release Key (Puppet, Inc. Release Key) <[email protected]>

pub   rsa4096 2019-04-08 [SC] [expired: 2025-04-06]
      D681 1ED3 ADEE B844 1AF5  AA8F 4528 B6CD 9E61 EF26
uid           [ expired] Puppet, Inc. Release Key (Puppet, Inc. Release Key) <[email protected]>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <[email protected]>

@HaveFun83
Copy link

same here

@taniahagan
Copy link

Also seeing on Jammy

@MaadixNet
Copy link

Yes. key expired on April 6.
Hope somebody is fixing it ASAP

@xacosta000
Copy link

You can use https://apt.puppet.com/DEB-GPG-KEY-future as it doesn't have an expiration date.

For APT based OS (/etc/apt)

curl https://apt.puppet.com/DEB-GPG-KEY-future | gpg -o /etc/apt/trusted.gpg.d/puppet.gpg --dearmor

@alikhil
Copy link

alikhil commented Apr 9, 2025

It seems like puppet-tools-release-*.deb files are need resigning with newer key, I keep getting errors with code like this:

RUN curl -fsSL https://apt.puppet.com/DEB-GPG-KEY-future | sudo gpg -o /etc/apt/trusted.gpg.d/puppet.gpg --dearmor

RUN echo ok && \
    curl --silent --show-error https://apt.puppet.com/puppet-tools-release-focal.deb --output /tmp/puppet-tools-release.deb && \
    dpkg -i /tmp/puppet-tools-release.deb && \
    apt update && \
    apt -y install puppet-bolt

Error log:

6.339 Err:2 http://apt.puppet.com focal InRelease
6.339   The following signatures were invalid: EXPKEYSIG 4528B6CD9E61EF26 Puppet, Inc. Release Key (Puppet, Inc. Release Key) <[email protected]>
7.843 Reading package lists...
8.854 W: GPG error: http://apt.puppet.com focal InRelease: The following signatures were invalid: EXPKEYSIG 4528B6CD9E61EF26 Puppet, Inc. Release Key (Puppet, Inc. Release Key) <[email protected]>
8.854 E: The repository 'http://apt.puppet.com focal InRelease' is not signed.
------
Dockerfile:91
--------------------
  90 |     
  91 | >>> RUN echo ok && \
  92 | >>>     curl --silent --show-error https://apt.puppet.com/puppet-tools-release-focal.deb --output /tmp/puppet-tools-release.deb && \
  93 | >>>     dpkg -i /tmp/puppet-tools-release.deb && \
  94 | >>>     apt update && \
  95 | >>>     apt -y install puppet-bolt
  96 |

@house-of-vanity
Copy link

Hi, finally installed with

RUN curl -s https://apt.puppet.com/keyring.gpg | gpg --dearmor -o /usr/share/keyrings/puppet-keyring.gpg && \
    echo "deb [signed-by=/usr/share/keyrings/puppet-keyring.gpg] http://apt.puppet.com/ focal puppet" > /etc/apt/sources.list.d/puppet.list && \
    apt-get update && apt-get install -y puppet-bolt

@xacosta000
Copy link

They have released new keyring and new puppet package files

@mcasas993 mcasas993 mentioned this issue Apr 10, 2025
Closed
2 tasks
@zerogtw
Copy link

zerogtw commented Apr 16, 2025

I have the same problem? Is there an official solution?

$ wget https://apt.puppetlabs.com/puppet6-release-xenial.deb
$ sudo dpkg -i puppet6-release-xenial.deb
$ sudo apt-get update

Get:1 http://apt.puppetlabs.com xenial InRelease [144 kB]
Ign:1 http://apt.puppetlabs.com xenial InRelease                                                                                       
Hit:2 http://archive.ubuntu.com/ubuntu xenial InRelease                                                                          
Hit:3 http://security.ubuntu.com/ubuntu xenial-security InRelease       
Hit:4 http://archive.ubuntu.com/ubuntu xenial-updates InRelease         
Hit:5 http://archive.ubuntu.com/ubuntu xenial-backports InRelease
Fetched 144 kB in 0s (192 kB/s)                   
Reading package lists... Done
W: GPG error: http://apt.puppetlabs.com xenial InRelease: The following signatures were invalid: KEYEXPIRED 1743975562  KEYEXPIRED 1743975562  KEYEXPIRED 1743975562
W: The repository 'http://apt.puppetlabs.com xenial InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@house-of-vanity @xacosta000 @alikhil @zerogtw @MaadixNet @swer21 @HaveFun83 @taniahagan @CommitThisLater