Puppet users - Jul 2012 - update apt key for puppetlabs and verify signature

I did a set of google searches looking for the answer to this
question, but didn''t find any good ones.  Since I believe the
community may benefit from my experience, I thought I''d post it.

While updating patches on ubuntu 10.04 on a staging puppet
environment, I noticed the apt key for puppetlabs had expired.  Rather
than blindly installing a keyring package that may not be verified, I
decided to verify manually.  Here are the steps:

"apt-get clean && apt-get update" yeilds
    ...
    Get:2 http://apt.puppetlabs.com lucid Release [8,845B]
    ...
    W: GPG error: http://apt.puppetlabs.com lucid Release: The
following signatures were invalid: KEYEXPIRED 1341792832

"apt-key list" shows:
       ...
    /etc/apt/trusted.gpg.d/pl-keyring.gpg
    -------------------------------------
    pub   4096R/4BD6EC30 2010-07-10 [expired: 2012-07-09]
    uid                  Puppet Labs Release Key (Puppet Labs Release
Key) <info@puppetlabs.com>

"gpg --recv-key 4BD6EC30" says:
    gpg: requesting key 4BD6EC30 from hkp server keys.gnupg.net
    gpg: /root/.gnupg/trustdb.gpg: trustdb created
    gpg: key 4BD6EC30: public key "Puppet Labs Release Key (Puppet
Labs Release Key) <info@puppetlabs.com>" imported
    gpg: no ultimately trusted keys found
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)

"gpg --list-key --fingerprint 4BD6EC30" reports:
    pub   4096R/4BD6EC30 2010-07-10 [expires: 2016-07-08]
          Key fingerprint = 47B3 20EB 4C7C 375A A9DA  E1A0 1054 B7A2
4BD6 EC30
    uid                  Puppet Labs Release Key (Puppet Labs Release
Key) <info@puppetlabs.com>

I checked and fingerprint matches the one listed at
http://projects.puppetlabs.com/projects/1/wiki/Downloading_Puppet#Verifying+Puppet+Downloads.

After running, "apt-key adv --keyserver keys.gnupg.net --recv-keys
4BD6EC30", apt-get update  runs without error.

note to moderators: I don''t know if this information has already been
posted, but just in case it hasn''t, here it is. It may not be
encountered by others depending on timing of their installation/
configuration.

Bob

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

thanks for sharing, but apperently you missed the new key being
announced to this group by Matthaus Litteken on July 5th. That would
probably have saved you lots of trouble.

Cheers,
Felix

On 07/09/2012 09:30 PM, rapid7bob wrote:
> I did a set of google searches looking for the answer to this
> question, but didn''t find any good ones.  Since I believe the
> community may benefit from my experience, I thought I''d post it.
> 
> While updating patches on ubuntu 10.04 on a staging puppet
> environment, I noticed the apt key for puppetlabs had expired.  Rather
> than blindly installing a keyring package that may not be verified, I
> decided to verify manually.  Here are the steps:
> 
> "apt-get clean && apt-get update" yeilds
>     ...
>     Get:2 http://apt.puppetlabs.com lucid Release [8,845B]
>     ...
>     W: GPG error: http://apt.puppetlabs.com lucid Release: The
> following signatures were invalid: KEYEXPIRED 1341792832
> 
> "apt-key list" shows:
>        ...
>     /etc/apt/trusted.gpg.d/pl-keyring.gpg
>     -------------------------------------
>     pub   4096R/4BD6EC30 2010-07-10 [expired: 2012-07-09]
>     uid                  Puppet Labs Release Key (Puppet Labs Release
> Key) <info@puppetlabs.com>
> 
> "gpg --recv-key 4BD6EC30" says:
>     gpg: requesting key 4BD6EC30 from hkp server keys.gnupg.net
>     gpg: /root/.gnupg/trustdb.gpg: trustdb created
>     gpg: key 4BD6EC30: public key "Puppet Labs Release Key (Puppet
> Labs Release Key) <info@puppetlabs.com>" imported
>     gpg: no ultimately trusted keys found
>     gpg: Total number processed: 1
>     gpg:               imported: 1  (RSA: 1)
> 
> "gpg --list-key --fingerprint 4BD6EC30" reports:
>     pub   4096R/4BD6EC30 2010-07-10 [expires: 2016-07-08]
>           Key fingerprint = 47B3 20EB 4C7C 375A A9DA  E1A0 1054 B7A2
> 4BD6 EC30
>     uid                  Puppet Labs Release Key (Puppet Labs Release
> Key) <info@puppetlabs.com>
> 
> I checked and fingerprint matches the one listed at
>
http://projects.puppetlabs.com/projects/1/wiki/Downloading_Puppet#Verifying+Puppet+Downloads.
> 
> After running, "apt-key adv --keyserver keys.gnupg.net --recv-keys
> 4BD6EC30", apt-get update  runs without error.
> 
> note to moderators: I don''t know if this information has already
been
> posted, but just in case it hasn''t, here it is. It may not be
> encountered by others depending on timing of their installation/
> configuration.
> 
> Bob
> 
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Yes, new to the group -- thanks.  It took about 10 minutes to find and had 
I searched on the keyid and updated before the expiration, it would have 
been easier.  Unfortunately, I was out of the office and it was fairly 
short notice over a holiday week (at least in the US).

Cheers!

Bob

On Tuesday, July 10, 2012 6:42:15 AM UTC-7, Felix.Frank
wrote:
>
> Hi, 
>
> thanks for sharing, but apperently you missed the new key being 
> announced to this group by Matthaus Litteken on July 5th. That would 
> probably have saved you lots of trouble. 
>
> Cheers, 
> Felix 
>
> On 07/09/2012 09:30 PM, rapid7bob wrote: 
> > I did a set of google searches looking for the answer to this 
> > question, but didn''t find any good ones.  Since I believe the
> > community may benefit from my experience, I thought I''d post
it.
> > 
> > While updating patches on ubuntu 10.04 on a staging puppet 
> > environment, I noticed the apt key for puppetlabs had expired.  Rather
> > than blindly installing a keyring package that may not be verified, I 
> > decided to verify manually.  Here are the steps: 
> > 
> > "apt-get clean && apt-get update" yeilds 
> >     ... 
> >     Get:2 http://apt.puppetlabs.com lucid Release [8,845B] 
> >     ... 
> >     W: GPG error: http://apt.puppetlabs.com lucid Release: The 
> > following signatures were invalid: KEYEXPIRED 1341792832 
> > 
> > "apt-key list" shows: 
> >        ... 
> >     /etc/apt/trusted.gpg.d/pl-keyring.gpg 
> >     ------------------------------------- 
> >     pub   4096R/4BD6EC30 2010-07-10 [expired: 2012-07-09] 
> >     uid                  Puppet Labs Release Key (Puppet Labs Release 
> > Key) <info@puppetlabs.com> 
> > 
> > "gpg --recv-key 4BD6EC30" says: 
> >     gpg: requesting key 4BD6EC30 from hkp server keys.gnupg.net 
> >     gpg: /root/.gnupg/trustdb.gpg: trustdb created 
> >     gpg: key 4BD6EC30: public key "Puppet Labs Release Key
(Puppet
> > Labs Release Key) <info@puppetlabs.com>" imported 
> >     gpg: no ultimately trusted keys found 
> >     gpg: Total number processed: 1 
> >     gpg:               imported: 1  (RSA: 1) 
> > 
> > "gpg --list-key --fingerprint 4BD6EC30" reports: 
> >     pub   4096R/4BD6EC30 2010-07-10 [expires: 2016-07-08] 
> >           Key fingerprint = 47B3 20EB 4C7C 375A A9DA  E1A0 1054 B7A2 
> > 4BD6 EC30 
> >     uid                  Puppet Labs Release Key (Puppet Labs Release 
> > Key) <info@puppetlabs.com> 
> > 
> > I checked and fingerprint matches the one listed at 
> > 
>
http://projects.puppetlabs.com/projects/1/wiki/Downloading_Puppet#Verifying+Puppet+Downloads.
>
> > 
> > After running, "apt-key adv --keyserver keys.gnupg.net
--recv-keys
> > 4BD6EC30", apt-get update  runs without error. 
> > 
> > note to moderators: I don''t know if this information has
already been
> > posted, but just in case it hasn''t, here it is. It may not be
> > encountered by others depending on timing of their installation/ 
> > configuration. 
> > 
> > Bob 
> > 
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/Qg5xjRgzjL0J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, Jul 10, 2012 at 7:12 PM, Felix Frank
<felix.frank@alumni.tu-berlin.de> wrote:
> Hi,
>
> thanks for sharing, but apperently you missed the new key being
> announced to this group by Matthaus Litteken on July 5th. That would
> probably have saved you lots of trouble.
>
> Cheers,
> Felix

I did a
gpg --refresh-keys; gpg --recv-keys 4BD6EC30
as per that email

And the key is still showing expired.
# apt-key list | grep -B1 "Puppet Labs"
pub   4096R/4BD6EC30 2010-07-10 [expired: 2012-07-09]
uid                  Puppet Labs Release Key (Puppet Labs Release Key)
<info@puppetlabs.com>




-- 
Krish
Hey! Checkout my new startup * www.toonheart.com *
Like Us if you Like Us! - facebook.com/toonheart

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.