Updated Puppet GPG signing key, 2020 edition

See more posts about: Tips & How To

Editor's note: This change to the GPG signing key affects both Puppet Enterprise users and open source Puppet users. If you're using Puppet Enterprise, you'll be getting the new key in an upcoming release, or if you manually update your version of puppet-agent, you'll get it then.

Thanks to Morgan Rhodes (@KnittyNerd) for all the technical details for this blog post.

The GPG signing key we’ve been using to sign Puppet products on Linux is expiring in August 2021, so we will be switching to a new key. This means you’ll need to import the new key to be able to use Puppet's public apt and yum repositories. Here are three ways you can update to use the new key.

Update the puppetlabs-release packages

If you are fetching Puppet software via apt or yum, then using one of the puppet-release, puppet5-release or puppet6-release packages this will be the easiest way to get the updated key.

SLES users need to manually update the key before using new release packages

$ curl --remote-name --location https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
$ gpg --keyid-format 0xLONG --with-fingerprint ./RPM-GPG-KEY-puppet-20250406
pub  4096R/0x4528B6CD9E61EF26 2019-04-08 Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
  	Key fingerprint = D681 1ED3 ADEE B844 1AF5  AA8F 4528 B6CD 9E61 EF26
sub  4096R/0xF230A24E9F057A83 2019-04-08 [expires: 2025-04-06]

$ sudo rpm --import RPM-GPG-KEY-puppet-20250406
$ sudo zypper update puppet-release

On EL and Fedora

$ sudo yum update puppet-release

On Debian and Ubuntu

$ sudo apt-get upgrade puppet-release

Update the key with Puppet

Here are some manifest snippets you can use to import the new GPG signing key with Puppet.

On EL, SLES and Fedora

# You’ll need to make sure /etc/pki and /etc/pki/rpm-gpg already exist
file { '/etc/pki/rpm-gpg/GPG-KEY-puppet-20250406':
    ensure => present,
    source => 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406',
}

exec { "validate gpg key":
    path      => '/bin:/usr/bin:/sbin:/usr/sbin',
    command   => "gpg --keyid-format 0xLONG /etc/pki/rpm-gpg/GPG-KEY-puppet-20250406 | grep -q 9E61EF26",
    require   => File['/etc/pki/rpm-gpg/GPG-KEY-puppet-20250406'],
    logoutput => 'on_failure',
}

exec { "import gpg key":
    path      => '/bin:/usr/bin:/sbin:/usr/sbin',
    command   => "rpm --import /etc/pki/rpm-gpg/GPG-KEY-puppet-20250406",
    unless    => "rpm -q gpg-pubkey-`echo $(gpg --throw-keyids < /etc/pki/rpm-gpg/GPG-KEY-puppet-20250406) | cut --characters=11-18 | tr [A-Z] [a-z]`",
    require   => [ File['/etc/pki/rpm-gpg/GPG-KEY-puppet-20250406'], Exec['validate gpg key'] ],
    logoutput => 'on_failure',
}

On Debian and Ubuntu

# This is based on puppetlabs-apt >= 2.0.0
apt::key { 'puppet gpg key':
    id     => 'D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26',
    server => 'pgp.mit.edu',
}

Update the key manually

You can also update the key manually on your servers.

On EL, SLES and Fedora

$ curl --remote-name --location https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
$ gpg --keyid-format 0xLONG --with-fingerprint ./RPM-GPG-KEY-puppet-20250406
pub  4096R/0x4528B6CD9E61EF26 2019-04-08 Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
  	Key fingerprint = D681 1ED3 ADEE B844 1AF5  AA8F 4528 B6CD 9E61 EF26
sub  4096R/0xF230A24E9F057A83 2019-04-08 [expires: 2025-04-06]

$ rpm --import RPM-GPG-KEY-puppet-20250406

On Debian and Ubuntu

$ curl --remote-name --location https://apt.puppet.com/DEB-GPG-KEY-puppet-20250406
$ gpg --keyid-format 0xLONG --with-fingerprint ./DEB-GPG-KEY-puppet-20250406
pub   rsa4096/0x4528B6CD9E61EF26 2019-04-08 [SC] [expires: 2025-04-06]
  	Key fingerprint = D681 1ED3 ADEE B844 1AF5  AA8F 4528 B6CD 9E61 EF26
uid                         	Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
sub   rsa4096/0xF230A24E9F057A83 2019-04-08 [E] [expires: 2025-04-06]

$ sudo apt-key add DEB-GPG-KEY-puppet-20250406

If you have any questions, feel free to ask on #puppet on the Puppet Community Slack, or the puppet-users Google group.

Eric Griswold is a release engineer at Puppet.

Learn more

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.