Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-3307

puppetlabs-apt doesn't detect or allow updating expired keys

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: puppet_agent 1.1.0
    • Fix Version/s: None
    • Component/s: apt
    • Labels:
      None
    • Environment:

      Ubuntu 14.04, puppet version 3.8.7 with puppetlabs-apt version 2.2.2

    • Template:
      MODULES Bug Template
    • Epic Link:
    • Team:
      Modules

      Description

      I'm using puppet to manager CRAN's R. Their APT signing key is installed with:

      apt::key { 'crankey':
                id      => 'E298A3A825C0D65DFD57CBB651716619E084DAB9',
                server  => 'keyserver.ubuntu.com',
      }
      

      This works great on new systems, but on older systems they have an expired key, with the same fingerprint.

      There is an ensure => present, but unlike packages there's no ensure => latest. Nor is there any way I could find documented to check if the key is valid, or refresh the key from the keyserver.

      So the result is apt fails with:

      W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://cran.us.r-project.org trusty/ Release: The following signatures were invalid: KEYEXPIRED 1445181253 KEYEXPIRED 1445181253 KEYEXPIRED 1445181253
      

      If I view the key:

      pub   2048R/E084DAB9 2010-10-19 [expired: 2015-10-18]
            Key fingerprint = E298 A3A8 25C0 D65D FD57  CBB6 5171 6619 E084 DAB9
      uid                  Michael Rutter <marutter@gmail.com>
      

      On a newer system:

      pub   2048R/E084DAB9 2010-10-19 [expires: 2020-10-16]
            Key fingerprint = E298 A3A8 25C0 D65D FD57  CBB6 5171 6619 E084 DAB9
      uid                  Michael Rutter <marutter@gmail.com>
      sub   2048R/1CFF3E8F 2010-10-19 [expires: 2020-10-16]
      
      

      Note the fingerprint is the same, but the expiration is different. So the problem is the puppetlabs-apt seems to have no way for me to ask for an up to date key.

        Attachments

          Activity

            People

            Assignee:
            eimhin.laverty Eimhin Laverty
            Reporter:
            bill@broadley.org Bill Broadley
            Votes:
            12 Vote for this issue
            Watchers:
            19 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support