Skip to content

(PA-7437) Drop expired key and rotate "current" key #771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Apr 9, 2025
Merged

(PA-7437) Drop expired key and rotate "current" key #771

merged 5 commits into from
Apr 9, 2025

Conversation

joshcooper
Copy link
Contributor

@joshcooper joshcooper commented Apr 8, 2025
edited
Loading

  • Drop expired GPG-KEY-puppet-20250406
  • Rotate GPG-KEY-puppet to be the current key
  • Update beaker tests to install released packages since nightly release packages don't work due to the 20250406 key expiration.

@joshcooper joshcooper force-pushed the gpgkey branch 2 times, most recently from fc309c0 to dfcfa39 Compare April 9, 2025 04:53
@joshcooper joshcooper marked this pull request as ready for review April 9, 2025 05:41
@joshcooper joshcooper requested review from bastelfreak and a team as code owners April 9, 2025 05:41
@joshcooper joshcooper marked this pull request as draft April 9, 2025 06:15
@joshcooper joshcooper marked this pull request as ready for review April 9, 2025 07:59
@joshcooper
(PA-7437) Rotate GPG-KEY-puppet
c770944 
The GPG-KEY-puppet key expired 2025-01-02. Update it with the current one that
doesn't expire:

Before

```
$ openssl sha256 -r files/GPG-KEY-puppet
7908698a5b6c4ff2d555edd1a6d594d1c2071481e1e1f7fd753274a1ab201675 *files/GPG-KEY-puppet
$ gpg --show-keys  --with-fingerprint --with-subkey-fingerprint files/GPG-KEY-puppet
pub   rsa4096 2016-08-18 [SC] [expired: 2025-01-02]
      6F6B 1550 9CF8 E59E 6E46  9F32 7F43 8280 EF8D 349F
uid                      Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
```

After

```
$ openssl sha256 -r files/GPG-KEY-puppet
246d96c86c5a322c2a5e63b2072a238508ad3c2c29795ea56a51a3d355514aca *files/GPG-KEY-puppet
$ gpg --show-keys  --with-fingerprint --with-subkey-fingerprint files/GPG-KEY-puppet
pub   rsa4096 2019-04-08 [SC]
      D681 1ED3 ADEE B844 1AF5  AA8F 4528 B6CD 9E61 EF26
uid                      Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
sub   rsa4096 2019-04-08 [E]
      90A2 9D0A 6576 E2CA 185A  ED3E F230 A24E 9F05 7A83
```

The new key matches other locations:

```
$ curl -sL https://apt.puppet.com/DEB-GPG-KEY-future | openssl sha256 -r
246d96c86c5a322c2a5e63b2072a238508ad3c2c29795ea56a51a3d355514aca *stdin
$ curl -sL https://yum.puppet.com/RPM-GPG-KEY-puppet | openssl sha256 -r
246d96c86c5a322c2a5e63b2072a238508ad3c2c29795ea56a51a3d355514aca *stdin
$ curl -sL https://yum-puppetcore.puppet.com/public/RPM-GPG-KEY-puppet | openssl sha256 -r
246d96c86c5a322c2a5e63b2072a238508ad3c2c29795ea56a51a3d355514aca *stdin
```
@joshcooper
(PA-7437) Drop expired GPG-KEY-puppet-20250406
036d0bb 
The key expired 2025-04-06, so delete it.

Update manifests and task to refer to GPG-KEY-puppet that was rotated in the
previous commit.
@joshcooper
(maint) Simplify how options are passed
fb66919 
The `set_up_initial_agent_on` method is only ever called with the name of the
collection, so remove the code that allowed an arbitrary version to be specified.
@joshcooper
(maint) Use released packages until nightly release packages are fixed
54f6444 
The release packages on nightlies.puppet.com contain the wrong GPG key and since
those repos won't be updated, just use the previously released packages for now.
@joshcooper
(maint) Drop puppet 6 to 7 upgrade test
b9bc335 
The puppet6 deb release packages contain a gpg keyring with a key that expired
225-04-06. If the release package is installed, then future apt-get update
command will report errors:

```
$ wget https://apt.puppet.com/puppet6-release-bullseye.deb
$ dpkg-deb -c puppet6-release-bullseye.deb | grep keyring
-rw-r--r-- root/root     10352 2022-12-09 23:52
./etc/apt/trusted.gpg.d/puppet6-keyring.gpg
$ sudo dpkg -i puppet6-release-bullseye.deb
$ sudo apt-get update
Hit:1 http://deb.debian.org/debian bullseye InRelease
Get:2 http://apt.puppetlabs.com bullseye InRelease [83.8 kB]
Err:2 http://apt.puppetlabs.com bullseye InRelease
  The following signatures were invalid: EXPKEYSIG 4528B6CD9E61EF26 Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
```

Since puppet6 has been EOL for many years and we're not going to reissue
puppet6 release packages, drop puppet 6 to puppet 7 upgrade tests in the
puppet_agent module.
@joshcooper joshcooper changed the title Drop expired key and rotate "current" key (PA-7437) Drop expired key and rotate "current" key Apr 9, 2025
@mhashizume mhashizume added the bug Something isn't working label Apr 9, 2025
@mhashizume mhashizume merged commit 29992a8 into puppetlabs:main Apr 9, 2025
16 checks passed
@joshcooper joshcooper deleted the gpgkey branch April 10, 2025 15:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhashizume mhashizume mhashizume approved these changes

@bastelfreak bastelfreak Awaiting requested review from bastelfreak bastelfreak is a code owner

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@joshcooper @mhashizume