Details
-
Type:
Task
-
Status: Closed
-
Priority:
Blocker
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: 2017/08/02
-
Component/s: Releases
-
Labels:None
-
Environment:
Debian
-
Template:customfield_10700 121717
-
Team:Release Engineering
-
Sub-team:
Description
Please support us with a new Key for your repository, because the current one expires on July 8th:
gpg --fingerprint 1054b7a24bd6ec30
pub 4096R/4BD6EC30 2010-07-10 [expires: 2016-07-08]
Key fingerprint = 47B3 20EB 4C7C 375A A9DA E1A0 1054 B7A2 4BD6 EC30
uid Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>
Thank you
Andreas
Attachments
Issue Links
- relates to
-
CPR-419 ubuntu xenial update failure
-
- Closed
-
Activity
- All
- Comments
- Work Log
- History
- Activity
- Zendesk Support
- Links Explorer
This key is set to expire in less than a month from now, any progress?
Daniele Sluijters
added a comment - This key is set to expire in less than a month from now, any progress? It seems the key has expired:
W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://apt.puppetlabs.com wheezy Release: The following signatures were invalid: KEYEXPIRED 1468001658
W: Failed to fetch http://apt.puppetlabs.com/dists/wheezy/Release
Arnaud Launay
added a comment - It seems the key has expired:
W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://apt.puppetlabs.com wheezy Release: The following signatures were invalid: KEYEXPIRED 1468001658
W: Failed to fetch http://apt.puppetlabs.com/dists/wheezy/Release (BTW, is it normal that I, a simple user, can make any change to the bug as if I was the reporter or an admin ?)
Arnaud Launay
added a comment - (BTW, is it normal that I, a simple user, can make any change to the bug as if I was the reporter or an admin ?) Ryan McKern I thought we fixed this?
Michael Stahnke
added a comment - Ryan McKern I thought we fixed this? I believe this is fixed. However, existing systems wouldn't pick up on the fact that the key expiry has changed. So anything that still has the 'old' key in it will now get super antsy.
Daniele Sluijters
added a comment - I believe this is fixed. However, existing systems wouldn't pick up on the fact that the key expiry has changed. So anything that still has the 'old' key in it will now get super antsy. Correct:
$ wget -q http://apt.puppetlabs.com/dists/wheezy/Release
$ wget -q http://apt.puppetlabs.com/dists/wheezy/Release.gpg
$ gpg --recv-keys 4BD6EC30
$ gpg Release.gpg
Detached signature.
Please enter name of data file: Release
gpg: Signature made Fri Jul 8 01:43:06 2016 CEST using RSA key ID 4BD6EC30
gpg: Good signature from "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 47B3 20EB 4C7C 375A A9DA E1A0 1054 B7A2 4BD6 EC30
asl@fraise /tmp $ gpg --list-key 4BD6EC30
pub 4096R/4BD6EC30 2010-07-10 [expires: 2017-01-05]
uid [ unknown] Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>
pub 4096R/4BD6EC30 2010-07-10 [revoked: 2014-09-11]
uid [ revoked] Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>
So:
$ apt-key adv --keyserver keyserver.ubuntu.com --recv-keys --recv-keys 4BD6EC30
$ apt-get update
(OK)
But it will have to be done another time in 6 months.
I think using a newer key might be simpler, as we push the apt repo via puppet, I'm unsure if there is a "refresh key" setting. Adding a new key is far easier...
Arnaud Launay
added a comment - Correct:
$ wget -q http://apt.puppetlabs.com/dists/wheezy/Release
$ wget -q http://apt.puppetlabs.com/dists/wheezy/Release.gpg
$ gpg --recv-keys 4BD6EC30
$ gpg Release.gpg
Detached signature.
Please enter name of data file: Release
gpg: Signature made Fri Jul 8 01:43:06 2016 CEST using RSA key ID 4BD6EC30
gpg: Good signature from "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 47B3 20EB 4C7C 375A A9DA E1A0 1054 B7A2 4BD6 EC30
asl@fraise /tmp $ gpg --list-key 4BD6EC30
pub 4096R/4BD6EC30 2010-07-10 [expires: 2017-01-05]
uid [ unknown] Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>
pub 4096R/4BD6EC30 2010-07-10 [revoked: 2014-09-11]
uid [ revoked] Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>
So:
$ apt-key adv --keyserver keyserver.ubuntu.com --recv-keys --recv-keys 4BD6EC30
$ apt-get update
(OK)
But it will have to be done another time in 6 months.
I think using a newer key might be simpler, as we push the apt repo via puppet, I'm unsure if there is a "refresh key" setting. Adding a new key is far easier... There's no such concept. I guess it could be added. Normally we only treat different fingerprints as something for apt::key to act on and nothing else. Changing the expiry of a key is uncommon enough of a practice that I don't think it warrants the extra work.
Daniele Sluijters
added a comment - There's no such concept. I guess it could be added. Normally we only treat different fingerprints as something for apt::key to act on and nothing else. Changing the expiry of a key is uncommon enough of a practice that I don't think it warrants the extra work. I concur (I always wanted to say that 
). A new key at the expiration of the old one seems to me the best path.
Arnaud Launay
added a comment - I concur (I always wanted to say that ). A new key at the expiration of the old one seems to me the best path. This has hit my organization - we're not longer able to pick up puppet client updates due to the expired key. (We use the apt puppet module to set up the repo, and ensure => 'latest' on the agent package)
A quick fix would be something like this:
exec { 'refresh-puppet-apt-key':
|
command => '/usr/bin/apt-key adv --recv-keys --keyserver pool.sks-keyservers.net 47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30 && touch /var/lib/something/a-file.txt',
|
onlyif => '/bin/test ! -f /var/lib/something/a-file.txt',
|
}
|
Daniele Sluijters
added a comment - A quick fix would be something like this:
exec { 'refresh-puppet-apt-key':
command => '/usr/bin/apt-key adv --recv-keys --keyserver pool.sks-keyservers.net 47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30 && touch /var/lib/something/a-file.txt',
onlyif => '/bin/test ! -f /var/lib/something/a-file.txt',
}
Aaaaaand we just got hit by this.
We had to follow these directions as a stopgap.
sudo su
|
apt-key list | grep -B1 puppet
|
sudo apt-key del 4096R/4BD6EC30 # Serial from previous
|
wget -O - https://downloads.puppetlabs.com/puppetlabs-gpg-signing-key.pub | gpg --import
|
wget --quiet -O - https://downloads.puppetlabs.com/puppetlabs-gpg-signing-key.pub | sudo apt-key add -
|
Only then could we run the installer.
Swift Financial
added a comment - Aaaaaand we just got hit by this.
We had to follow these directions as a stopgap.
sudo su
apt-key list | grep -B1 puppet
sudo apt-key del 4096R/4BD6EC30 # Serial from previous
wget -O - https://downloads.puppetlabs.com/puppetlabs-gpg-signing-key.pub | gpg --import
wget --quiet -O - https://downloads.puppetlabs.com/puppetlabs-gpg-signing-key.pub | sudo apt-key add -
Only then could we run the installer.
Hi All,
|
|
|
You can use the below class to update the key details |
|
|
class puppetlabs { |
# Gets Puppetkey from keyserver.ubuntu.com, once the machine is part of that specific class it automatically checks and updates the key |
case $::operatingsystem { |
ubuntu,debian,linuxmint: {
|
$key = "4BD6EC30" |
exec { 'apt-key puppetlabs': |
path => "/bin:/usr/bin", |
unless => "apt-key list | grep '${key}' | grep -v expired", |
command => "apt-key adv --keyserver keyserver.ubuntu.com --recv-keys ${key}", |
}
|
}
|
}
|
}
|
|
Kranthi
added a comment - - edited
Hi All,
You can use the below class to update the key details
class puppetlabs {
# Gets Puppetkey from keyserver.ubuntu.com, once the machine is part of that specific class it automatically checks and updates the key
case $::operatingsystem {
ubuntu,debian,linuxmint: {
$key = "4BD6EC30"
exec { 'apt-key puppetlabs' :
path => "/bin:/usr/bin" ,
unless => "apt-key list | grep '${key}' | grep -v expired" ,
command => "apt-key adv --keyserver keyserver.ubuntu.com --recv-keys ${key}" ,
}
}
}
}
The key with ID 4BD6EC30 expired again. We're using Puppet Enterprise 2016.2.1 on Ubuntu 16.04:
apt-key list:
pub 4096R/4BD6EC30 2010-07-10 [expired: 2017-01-05] |
uid Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com> |
aptitude update
Get: 1 file:/opt/puppetlabs/server/data/packages/public/2016.2.1/ubuntu-16.04-amd64-1.5.3 ./ InRelease |
Ign file:/opt/puppetlabs/server/data/packages/public/2016.2.1/ubuntu-16.04-amd64-1.5.3 ./ InRelease |
Get: 2 file:/opt/puppetlabs/server/data/packages/public/2016.2.1/ubuntu-16.04-amd64-1.5.3 ./ Release [505 B] |
Get: 3 file:/opt/puppetlabs/server/data/packages/public/2016.2.1/ubuntu-16.04-amd64-1.5.3 ./ Release [505 B] |
Get: 4 file:/opt/puppetlabs/server/data/packages/public/2016.2.1/ubuntu-16.04-amd64-1.5.3 ./ Release.gpg [836 B] |
Get: 5 file:/opt/puppetlabs/server/data/packages/public/2016.2.1/ubuntu-16.04-amd64-1.5.3 ./ Release.gpg [836 B] |
Hit http://ch.archive.ubuntu.com/ubuntu xenial InRelease |
Hit http://ch.archive.ubuntu.com/ubuntu xenial-updates InRelease |
Hit http://ch.archive.ubuntu.com/ubuntu xenial-backports InRelease |
Ign file:/opt/puppetlabs/server/data/packages/public/2016.2.1/ubuntu-16.04-amd64-1.5.3 ./ Release.gpg |
Get: 6 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB] |
Ign https://puppet.domain.local:8140/packages/2016.2.0/ubuntu-16.04-amd64 ./ InRelease |
Hit https://puppet.domain.local:8140/packages/2016.2.0/ubuntu-16.04-amd64 ./ Release |
Err https://puppet.domain.local:8140/packages/2016.2.0/ubuntu-16.04-amd64 ./ Release.gpg |
The following signatures were invalid: KEYEXPIRED 1483574797 |
Fetched 102 kB in 0s (182 kB/s) |
W: file:/opt/puppetlabs/server/data/packages/public/2016.2.1/ubuntu-16.04-amd64-1.5.3/./Release.gpg: Signature by key 47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30 uses weak digest algorithm (SHA1) |
W: GPG error: file:/opt/puppetlabs/server/data/packages/public/2016.2.1/ubuntu-16.04-amd64-1.5.3 ./ Release: The following signatures were invalid: KEYEXPIRED 1483574797 |
W: The repository 'file:/opt/puppetlabs/server/data/packages/public/2016.2.1/ubuntu-16.04-amd64-1.5.3 ./ Release' is not signed. |
W: Invalid 'Date' entry in Release file /var/lib/apt/lists/_opt_puppetlabs_server_data_packages_public_2016.2.1_ubuntu-16.04-amd64-1.5.3_._Release |
W: https://puppet.domain.local:8140/packages/2016.2.0/ubuntu-16.04-amd64/./Release.gpg: Signature by key 47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30 uses weak digest algorithm (SHA1) |
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://puppet.domain.local:8140/packages/2016.2.0/ubuntu-16.04-amd64 ./ Release: The following signatures were invalid: KEYEXPIRED 1483574797 |
W: Failed to fetch https://puppet.domain.local:8140/packages/2016.2.0/ubuntu-16.04-amd64/./Release.gpg: The following signatures were invalid: KEYEXPIRED 1483574797 |
W: Some index files failed to download. They have been ignored, or old ones used instead.
|
EDIT: For reproducing this issue, this already happens when trying to install a fresh 2016.2.0 on Ubuntu 16.04 with ./puppet-enterprise-installer
I needed to install a new instance to reproduce issues while upgrading from 2016.2.0 to 2016.2.1 (and 2016.4.0).
Lukas Kallies
added a comment - - edited The key with ID 4BD6EC30 expired again. We're using Puppet Enterprise 2016.2.1 on Ubuntu 16.04:
apt-key list:
pub 4096R/4BD6EC30 2010 - 07 - 10 [expired: 2017 - 01 - 05 ]
uid Puppet Labs Release Key (Puppet Labs Release Key) <info @puppetlabs .com>
aptitude update
Get: 1 file:/opt/puppetlabs/server/data/packages/ public / 2016.2 . 1 /ubuntu- 16.04 -amd64- 1.5 . 3 ./ InRelease
Ign file:/opt/puppetlabs/server/data/packages/ public / 2016.2 . 1 /ubuntu- 16.04 -amd64- 1.5 . 3 ./ InRelease
Get: 2 file:/opt/puppetlabs/server/data/packages/ public / 2016.2 . 1 /ubuntu- 16.04 -amd64- 1.5 . 3 ./ Release [ 505 B]
Get: 3 file:/opt/puppetlabs/server/data/packages/ public / 2016.2 . 1 /ubuntu- 16.04 -amd64- 1.5 . 3 ./ Release [ 505 B]
Get: 4 file:/opt/puppetlabs/server/data/packages/ public / 2016.2 . 1 /ubuntu- 16.04 -amd64- 1.5 . 3 ./ Release.gpg [ 836 B]
Get: 5 file:/opt/puppetlabs/server/data/packages/ public / 2016.2 . 1 /ubuntu- 16.04 -amd64- 1.5 . 3 ./ Release.gpg [ 836 B]
Hit http: //ch.archive.ubuntu.com/ubuntu xenial InRelease
Hit http: //ch.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit http: //ch.archive.ubuntu.com/ubuntu xenial-backports InRelease
Ign file:/opt/puppetlabs/server/data/packages/ public / 2016.2 . 1 /ubuntu- 16.04 -amd64- 1.5 . 3 ./ Release.gpg
Get: 6 http: //security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
Ign https: //puppet.domain.local:8140/packages/2016.2.0/ubuntu-16.04-amd64 ./ InRelease
Hit https: //puppet.domain.local:8140/packages/2016.2.0/ubuntu-16.04-amd64 ./ Release
Err https: //puppet.domain.local:8140/packages/2016.2.0/ubuntu-16.04-amd64 ./ Release.gpg
The following signatures were invalid: KEYEXPIRED 1483574797
Fetched 102 kB in 0s ( 182 kB/s)
W: file:/opt/puppetlabs/server/data/packages/ public / 2016.2 . 1 /ubuntu- 16.04 -amd64- 1.5 . 3 /./Release.gpg: Signature by key 47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30 uses weak digest algorithm (SHA1)
W: GPG error: file:/opt/puppetlabs/server/data/packages/ public / 2016.2 . 1 /ubuntu- 16.04 -amd64- 1.5 . 3 ./ Release: The following signatures were invalid: KEYEXPIRED 1483574797
W: The repository 'file:/opt/puppetlabs/server/data/packages/public/2016.2.1/ubuntu-16.04-amd64-1.5.3 ./ Release' is not signed.
W: Invalid 'Date' entry in Release file /var/lib/apt/lists/_opt_puppetlabs_server_data_packages_public_2016. 2 .1_ubuntu- 16.04 -amd64- 1.5 .3_._Release
W: https: //puppet.domain.local:8140/packages/2016.2.0/ubuntu-16.04-amd64/./Release.gpg: Signature by key 47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30 uses weak digest algorithm (SHA1)
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https: //puppet.domain.local:8140/packages/2016.2.0/ubuntu-16.04-amd64 ./ Release: The following signatures were invalid: KEYEXPIRED 1483574797
W: Failed to fetch https: //puppet.domain.local:8140/packages/2016.2.0/ubuntu-16.04-amd64/./Release.gpg: The following signatures were invalid: KEYEXPIRED 1483574797
W: Some index files failed to download. They have been ignored, or old ones used instead.
EDIT: For reproducing this issue, this already happens when trying to install a fresh 2016.2.0 on Ubuntu 16.04 with ./puppet-enterprise-installer
I needed to install a new instance to reproduce issues while upgrading from 2016.2.0 to 2016.2.1 (and 2016.4.0). Michael Stahnke
added a comment - /cc Charlie Sharpsteen I am facing a similar issue on Ubuntu 16.04.:
$ wget http://apt.puppetlabs.com/puppetlabs-release-pc1-xenial.deb
|
$ dpkg -i puppetlabs-release-pc1-xenial.deb
|
$ apt-get update
|
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
|
Ign:2 http://apt.puppetlabs.com xenial InRelease
|
Hit:3 http://nova.clouds.archive.ubuntu.com/ubuntu xenial InRelease
|
Hit:4 http://apt.puppetlabs.com xenial Release
|
Get:5 http://apt.puppetlabs.com xenial Release.gpg [841 B]
|
Ign:5 http://apt.puppetlabs.com xenial Release.gpg
|
Get:6 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB]
|
Hit:7 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-backports InRelease
|
Get:8 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates/restricted Sources [1,800 B]
|
Get:9 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates/restricted amd64 Packages [6,568 B]
|
Get:10 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates/restricted Translation-en [2,020 B]
|
Get:11 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates/multiverse amd64 Packages [7,376 B]
|
Fetched 223 kB in 1s (133 kB/s)
|
Reading package lists... Done
|
W: GPG error: http://apt.puppetlabs.com xenial Release: The following signatures were invalid: BADSIG 7F438280EF8D349F Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
|
W: The repository 'http://apt.puppetlabs.com xenial Release' is not signed.
|
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
|
N: See apt-secure(8) manpage for repository creation and user configuration details.
|
$ apt-key list
|
/etc/apt/trusted.gpg
|
--------------------
|
pub 1024D/437D05B5 2004-09-12
|
uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
|
sub 2048g/79164387 2004-09-12
|
|
|
pub 4096R/C0B21F32 2012-05-11
|
uid Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
|
|
|
pub 4096R/EFE21092 2012-05-11
|
uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
|
|
|
pub 1024D/FBB75451 2004-12-30
|
uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
|
|
|
/etc/apt/trusted.gpg.d/puppetlabs-pc1-keyring.gpg
|
-------------------------------------------------
|
pub 4096R/4BD6EC30 2010-07-10 [expired: 2017-01-05]
|
uid Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>
|
|
|
pub 4096R/07BB6C57 2013-02-06 [expires: 2019-02-11]
|
uid Puppet Labs Nightly Build Key (Puppet Labs Nightly Build Key) <delivery@puppetlabs.com>
|
uid Puppet Labs Nightly Build Key (Puppet Labs Nightly Build Key) <info@puppetlabs.com>
|
sub 4096R/A5FC3E74 2013-02-06 [expires: 2019-02-11]
|
|
|
pub 4096R/EF8D349F 2016-08-18 [expires: 2021-08-17]
|
uid Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
|
sub 4096R/656674AE 2016-08-18 [expires: 2021-08-17]
|
Only the option --allow-unauthenticated allows to install the puppet-agent package. Otherwise you get:
$ DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install puppet-agent
|
Reading package lists... Done
|
Building dependency tree
|
Reading state information... Done
|
The following NEW packages will be installed:
|
puppet-agent
|
0 upgraded, 1 newly installed, 0 to remove and 6 not upgraded.
|
Need to get 15.2 MB of archives.
|
After this operation, 91.2 MB of additional disk space will be used.
|
WARNING: The following packages cannot be authenticated!
|
puppet-agent
|
E: There were unauthenticated packages and -y was used without --allow-unauthenticated
|
Jens Offenbach
added a comment - I am facing a similar issue on Ubuntu 16.04.:
$ wget http://apt.puppetlabs.com/puppetlabs-release-pc1-xenial.deb
$ dpkg -i puppetlabs-release-pc1-xenial.deb
$ apt-get update
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
Ign:2 http://apt.puppetlabs.com xenial InRelease
Hit:3 http://nova.clouds.archive.ubuntu.com/ubuntu xenial InRelease
Hit:4 http://apt.puppetlabs.com xenial Release
Get:5 http://apt.puppetlabs.com xenial Release.gpg [841 B]
Ign:5 http://apt.puppetlabs.com xenial Release.gpg
Get:6 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB]
Hit:7 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-backports InRelease
Get:8 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates/restricted Sources [1,800 B]
Get:9 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates/restricted amd64 Packages [6,568 B]
Get:10 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates/restricted Translation-en [2,020 B]
Get:11 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates/multiverse amd64 Packages [7,376 B]
Fetched 223 kB in 1s (133 kB/s)
Reading package lists... Done
W: GPG error: http://apt.puppetlabs.com xenial Release: The following signatures were invalid: BADSIG 7F438280EF8D349F Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
W: The repository 'http://apt.puppetlabs.com xenial Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub 2048g/79164387 2004-09-12
pub 4096R/C0B21F32 2012-05-11
uid Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
pub 4096R/EFE21092 2012-05-11
uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
/etc/apt/trusted.gpg.d/puppetlabs-pc1-keyring.gpg
-------------------------------------------------
pub 4096R/4BD6EC30 2010-07-10 [expired: 2017-01-05]
uid Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>
pub 4096R/07BB6C57 2013-02-06 [expires: 2019-02-11]
uid Puppet Labs Nightly Build Key (Puppet Labs Nightly Build Key) <delivery@puppetlabs.com>
uid Puppet Labs Nightly Build Key (Puppet Labs Nightly Build Key) <info@puppetlabs.com>
sub 4096R/A5FC3E74 2013-02-06 [expires: 2019-02-11]
pub 4096R/EF8D349F 2016-08-18 [expires: 2021-08-17]
uid Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
sub 4096R/656674AE 2016-08-18 [expires: 2021-08-17]
Only the option --allow-unauthenticated allows to install the puppet-agent package. Otherwise you get:
$ DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install puppet-agent
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
puppet-agent
0 upgraded, 1 newly installed, 0 to remove and 6 not upgraded.
Need to get 15.2 MB of archives.
After this operation, 91.2 MB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
puppet-agent
E: There were unauthenticated packages and -y was used without --allow-unauthenticated
Jens Offenbach When were you trying to run this yesterday? I'm wondering if you caught us in the midst of a metadata update and that caused some issues? I just tried the same steps you ran on a xenial VM and was unable to reproduce.
Morgan Rhodes
added a comment - Jens Offenbach When were you trying to run this yesterday? I'm wondering if you caught us in the midst of a metadata update and that caused some issues? I just tried the same steps you ran on a xenial VM and was unable to reproduce. For folks that are running into this while installing PE version 2016.2.1 or earlier, an extended key along with instructions for deploying it can be found in the PE Support Knowledgebase:
Charlie Sharpsteen
added a comment - For folks that are running into this while installing PE version 2016.2.1 or earlier, an extended key along with instructions for deploying it can be found in the PE Support Knowledgebase:
https://support.puppet.com/hc/en-us/articles/115001239048-Recently-updated-Expired-GPG-Key-causes-node-installation-to-fail-in-Puppet-Enterprise-2016-2-and-earlier Morgan Rhodes I am sorry! It is working now. The issue was caused by outdated Release and Packages files in the http cache (Squid) which were not updated because of a parent proxy misconfiguration.
Jens Offenbach
added a comment - - edited Morgan Rhodes I am sorry! It is working now. The issue was caused by outdated Release and Packages files in the http cache (Squid) which were not updated because of a parent proxy misconfiguration. Jens Offenbach glad it's working, thanks for letting me know!
Morgan Rhodes
added a comment - Jens Offenbach glad it's working, thanks for letting me know! Charlie Sharpsteen, is the link provided open to everyone? If not, can you please provide me the instructions on deploying the extended key.
Little bit history on my issue: I am trying to add another node to master and installing the agent with the install.bash script failed as the key was expired. I tried to manually add the key in master but it still picks up the old key.
Thanks in advance.
Abhinav santi
added a comment - - edited Charlie Sharpsteen , is the link provided open to everyone? If not, can you please provide me the instructions on deploying the extended key.
https://support.puppet.com/hc/en-us/articles/115001239048-Recently-updated-Expired-GPG-Key-causes-node-installation-to-fail-in-Puppet-Enterprise-2016-2-and-earlier
Little bit history on my issue: I am trying to add another node to master and installing the agent with the install.bash script failed as the key was expired. I tried to manually add the key in master but it still picks up the old key.
Thanks in advance. Abhinav santi The PE Support Knowledgebase article can be accessed with the username and password provided as part of an active support agreement. If you just need the updated key, a copy is publicly accessible here:
Charlie Sharpsteen
added a comment - Abhinav santi The PE Support Knowledgebase article can be accessed with the username and password provided as part of an active support agreement. If you just need the updated key, a copy is publicly accessible here:
https://github.com/oscar-stack/vagrant-pe_build/blob/master/data/vagrant-pe_build/files/GPG-KEY-puppetlabs Inspite of running the command manually, this doesn't seem to be fixed. Output as below:
root@netlogin-test-01:~# apt-key list | grep expired
pub 4096R/4BD6EC30 2010-07-10 [expired: 2017-01-05]
root@netlogin-test-01:~# apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 4BD6EC30
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.DPryggE0R0 --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyring /etc/apt/trusted.gpg.d/puppetlabs-keyring.gpg --keyring /etc/apt/trusted.gpg.d/puppetlabs-nightly-keyring.gpg --recv-keys --keyserver keyserver.ubuntu.com 4BD6EC30
gpg: requesting key 4BD6EC30 from hkp server keyserver.ubuntu.com
gpg: key 4BD6EC30: "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>" not changed
gpg: key 4BD6EC30: "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>" not changed
gpg: key 4BD6EC30: "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>" not changed
gpg: Total number processed: 3
gpg: unchanged: 3
root@netlogin-test-01:~# apt-key list | grep expired
pub 4096R/4BD6EC30 2010-07-10 [expired: 2017-01-05]
If this command doesn't even work manually then no point in creating an exec resource. Has anyone faced this issue as well?
Mithil Patel
added a comment - Inspite of running the command manually, this doesn't seem to be fixed. Output as below:
root@netlogin-test-01:~# apt-key list | grep expired
pub 4096R/4BD6EC30 2010-07-10 [expired: 2017-01-05]
root@netlogin-test-01:~# apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 4BD6EC30
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.DPryggE0R0 --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyring /etc/apt/trusted.gpg.d/puppetlabs-keyring.gpg --keyring /etc/apt/trusted.gpg.d/puppetlabs-nightly-keyring.gpg --recv-keys --keyserver keyserver.ubuntu.com 4BD6EC30
gpg: requesting key 4BD6EC30 from hkp server keyserver.ubuntu.com
gpg: key 4BD6EC30: "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>" not changed
gpg: key 4BD6EC30: "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>" not changed
gpg: key 4BD6EC30: "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>" not changed
gpg: Total number processed: 3
gpg: unchanged: 3
root@netlogin-test-01:~# apt-key list | grep expired
pub 4096R/4BD6EC30 2010-07-10 [expired: 2017-01-05]
If this command doesn't even work manually then no point in creating an exec resource. Has anyone faced this issue as well? Mithil Patel: An extended key hasn't been distributed to the keyservers as the packages signed using it are no longer maintained. If needed, a copy of the extended key can be obtained from the PE Support article or GitHub repository listed above. However, we recommend updating to PE 2016.4 or the latest release as those series are still maintained with security patches and bugfixes.
Charlie Sharpsteen
added a comment - Mithil Patel : An extended key hasn't been distributed to the keyservers as the packages signed using it are no longer maintained. If needed, a copy of the extended key can be obtained from the PE Support article or GitHub repository listed above. However, we recommend updating to PE 2016.4 or the latest release as those series are still maintained with security patches and bugfixes. I have the latest updated key as well as my PE version is 2016.4.3. I still face the issue.
Mithil Patel
added a comment - I have the latest updated key as well as my PE version is 2016.4.3. I still face the issue. I have the same issue as Mithil Patel:
The following signatures were invalid: BADSIG 7F438280EF8D349F Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
|
Fetched 14.2 kB in 0s (26.4 kB/s)
|
Reading package lists... Done
|
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://apt.puppetlabs.com xenial Release: The following signatures were invalid: BADSIG 7F438280EF8D349F Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
|
W: Failed to fetch http://apt.puppetlabs.com/dists/xenial/Release.gpg The following signatures were invalid: BADSIG 7F438280EF8D349F Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
|
I tried to update they key manually to no avail:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7F438280EF8D349F
|
Executing: /tmp/tmp.qlmCAtWceQ/gpg.1.sh --keyserver
|
keyserver.ubuntu.com
|
--recv-keys
|
7F438280EF8D349F
|
gpg: requesting key EF8D349F from hkp server keyserver.ubuntu.com
|
gpg: key EF8D349F: "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>" not changed
|
gpg: Total number processed: 1
|
gpg: unchanged: 1
|
I also followed the blog article about this and it too didn't help:
https://puppet.com/blog/updated-puppet-gpg-signing-key
Denis Krienbühl
added a comment - I have the same issue as Mithil Patel :
The following signatures were invalid: BADSIG 7F438280EF8D349F Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
Fetched 14.2 kB in 0s (26.4 kB/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://apt.puppetlabs.com xenial Release: The following signatures were invalid: BADSIG 7F438280EF8D349F Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
W: Failed to fetch http://apt.puppetlabs.com/dists/xenial/Release.gpg The following signatures were invalid: BADSIG 7F438280EF8D349F Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
I tried to update they key manually to no avail:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7F438280EF8D349F
Executing: /tmp/tmp.qlmCAtWceQ/gpg.1.sh --keyserver
keyserver.ubuntu.com
--recv-keys
7F438280EF8D349F
gpg: requesting key EF8D349F from hkp server keyserver.ubuntu.com
gpg: key EF8D349F: "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
I also followed the blog article about this and it too didn't help:
https://puppet.com/blog/updated-puppet-gpg-signing-key I just hit the same error:
/home/devbox/.bundle/ruby/2.4.0/beaker-551cc157ca80/lib/beaker/host.rb:373:in `exec': Host 'ubuntu-server-1604-x64' exited with 100 running: (Beaker::Host::CommandFailure)
|
apt-get update
|
Last 10 lines of output were:
|
Hit:9 http://us.archive.ubuntu.com/ubuntu xenial-updates InRelease
|
Hit:10 http://us.archive.ubuntu.com/ubuntu xenial-backports InRelease
|
Fetched 49.3 kB in 3s (12.9 kB/s)
|
Reading package lists...
|
W: GPG error: http://apt.puppetlabs.com xenial Release: The following signatures were invalid: BADSIG 7F438280EF8D349F Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
|
W: The repository 'http://apt.puppetlabs.com xenial Release' is not signed.
|
E: Failed to fetch http://apt.puppetlabs.com/dists/xenial/PC1/binary-amd64/Packages.gz Hash Sum mismatch
|
E: Failed to fetch http://apt.puppetlabs.com/dists/xenial/PC1/binary-i386/Packages.gz
|
E: Failed to fetch http://apt.puppetlabs.com/dists/xenial/PC1/binary-all/Packages.gz
|
E: Some index files failed to download. They have been ignored, or old ones used instead.
|
Benjamin HENRION
added a comment -
I just hit the same error:
/home/devbox/.bundle/ruby/2.4.0/beaker-551cc157ca80/lib/beaker/host.rb:373:in `exec': Host 'ubuntu-server-1604-x64' exited with 100 running: (Beaker::Host::CommandFailure)
apt-get update
Last 10 lines of output were:
Hit:9 http://us.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:10 http://us.archive.ubuntu.com/ubuntu xenial-backports InRelease
Fetched 49.3 kB in 3s (12.9 kB/s)
Reading package lists...
W: GPG error: http://apt.puppetlabs.com xenial Release: The following signatures were invalid: BADSIG 7F438280EF8D349F Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
W: The repository 'http://apt.puppetlabs.com xenial Release' is not signed.
E: Failed to fetch http://apt.puppetlabs.com/dists/xenial/PC1/binary-amd64/Packages.gz Hash Sum mismatch
E: Failed to fetch http://apt.puppetlabs.com/dists/xenial/PC1/binary-i386/Packages.gz
E: Failed to fetch http://apt.puppetlabs.com/dists/xenial/PC1/binary-all/Packages.gz
E: Some index files failed to download. They have been ignored, or old ones used instead.
Same here, using Beaker 3.15.0 and puppetlabs/ubuntu-16.04-64-nocm vagrant box.
Scary to see all acceptance tests fail all of a sudden. Even more so while preparing for a demo.
Tom De Vylder
added a comment - - edited Same here, using Beaker 3.15.0 and puppetlabs/ubuntu-16.04-64-nocm vagrant box.
Scary to see all acceptance tests fail all of a sudden. Even more so while preparing for a demo. i'm running in the same issue.
although the headline of the issue seems to be not correct as the key is valid till 2021.
pub 4096R/EF8D349F 2016-08-18 [expires: 2021-08-17] |
uid Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com> |
so is it that puppetlabs is compromised, or some misteak happened?
Stefan Hageneder
added a comment - i'm running in the same issue.
although the headline of the issue seems to be not correct as the key is valid till 2021.
pub 4096R/EF8D349F 2016 - 08 - 18 [expires: 2021 - 08 - 17 ]
uid Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release @puppet .com>
so is it that puppetlabs is compromised, or some misteak happened? If I'm not mistaken the previous (and now expired) GPG key has been replaced with the one that's valid till 2021.
The old one is still available on f.i. Puppetlabs' vagrant boxes as being used by Beaker.
Tom De Vylder
added a comment - If I'm not mistaken the previous (and now expired) GPG key has been replaced with the one that's valid till 2021.
The old one is still available on f.i. Puppetlabs' vagrant boxes as being used by Beaker. This is easily reproducible on the Ubuntu Xenial box:
vagrant init ubuntu/xenial64
|
vagrant up
|
vagrant ssh
|
wget https://apt.puppetlabs.com/puppetlabs-release-pc1-xenial.deb
|
sudo dpkg -i puppetlabs-release-pc1-xenial.deb
|
sudo apt-get install puppetlabs-release-pc1
|
sudo apt update # may need to run this a couple of times
|
which produces
Reading package lists... Done
|
W: GPG error: http://apt.puppetlabs.com xenial Release: The following signatures were invalid: BADSIG 7F438280EF8D349F Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
|
E: The repository 'http://apt.puppetlabs.com xenial Release' is not signed.
|
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
|
N: See apt-secure(8) manpage for repository creation and user configuration details.
|
Dimitrios Liappis
added a comment - This is easily reproducible on the Ubuntu Xenial box:
vagrant init ubuntu/xenial64
vagrant up
vagrant ssh
wget https://apt.puppetlabs.com/puppetlabs-release-pc1-xenial.deb
sudo dpkg -i puppetlabs-release-pc1-xenial.deb
sudo apt-get install puppetlabs-release-pc1
sudo apt update # may need to run this a couple of times
which produces
Reading package lists... Done
W: GPG error: http://apt.puppetlabs.com xenial Release: The following signatures were invalid: BADSIG 7F438280EF8D349F Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
E: The repository 'http://apt.puppetlabs.com xenial Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Apologies for the inconvenience: I think we had some bad metadata cached in our CDN, we have refreshed the cache and it does seem to be working now (for me), can someone verify?
Rob Braden
added a comment - Apologies for the inconvenience: I think we had some bad metadata cached in our CDN, we have refreshed the cache and it does seem to be working now (for me), can someone verify?
@Rob I can confirm that it works on my side, I have been blocked by this the whole day 
Benjamin HENRION
added a comment - @Rob I can confirm that it works on my side, I have been blocked by this the whole day 
Yes, thanks for this. We're aware and still discussing a few options and procedures for flipping to a new key.