gpg key is expired since 20250406

[Isma399]

Hello,

puppet-7 installation on noble failed because of:

# wget https://apt.puppetlabs.com/puppet7-release-noble.deb
# sudo dpkg -i puppet7-release-noble.deb
# sudo apt-get update
Get:2 http://nova.clouds.archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]
Get:3 http://nova.clouds.archive.ubuntu.com/ubuntu noble-backports InRelease [126 kB]
Hit:4 http://security.ubuntu.com/ubuntu noble-security InRelease
Get:5 http://apt.puppet.com noble InRelease [56.1 kB]
Err:5 http://apt.puppet.com noble InRelease
  The following signatures were invalid: EXPKEYSIG 4528B6CD9E61EF26 Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
Reading package lists... Done
W: GPG error: http://apt.puppet.com noble InRelease: The following signatures were invalid: EXPKEYSIG 4528B6CD9E61EF26 Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
E: The repository 'http://apt.puppet.com noble InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
N: Missing Signed-By in the sources.list(5) entry for 'http://nova.clouds.archive.ubuntu.com/ubuntu'
N: Missing Signed-By in the sources.list(5) entry for 'http://nova.clouds.archive.ubuntu.com/ubuntu'

The key used in the deb package is :
https://apt.puppet.com/DEB-GPG-KEY-puppet-20250406

this key seems expired, is there any workaround or is an renew needed?

Thank you very much

[fr-rin]

Happy Monday!

[juanfranp16]

The only workaround until they don't renew the gpg key is to add [trusted=yes] in your /etc/apt/sources.list.d/ file

It has to look like this
deb [trusted=yes] http://apt.puppet.com noble puppet7

[Isma399]

A team mate propose this solution:

wget https://apt.puppet.com/DEB-GPG-KEY-future
gpg --import DEB-GPG-KEY-future
gpg --output /etc/apt/trusted.gpg.d/puppet7-keyring.gpg --export release@puppet.com
apt update 

[fr-rin]

A team mate propose this solution:

wget https://apt.puppet.com/DEB-GPG-KEY-future
gpg --import DEB-GPG-KEY-future
gpg --output /etc/apt/trusted.gpg.d/puppet7-keyring.gpg --export release@puppet.com
apt update 

While this may sort the immediate problem, I don't think it's a solution. The repo deb-files still have the old key - so anybody attempting to install, say, https://apt.puppetlabs.com/puppet8-release-noble.deb will be met by a broken repo after their first 'apt update'.

[fr-rin]

DEB-GPG-KEY-future seems to be the same key but without an expiration date?

expired:
$ gpg pubkey.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096 2019-04-08 [SC] [expired: 2025-04-06]
D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26
uid Puppet, Inc. Release Key (Puppet, Inc. Release Key) release@puppet.com
sub rsa4096 2019-04-08 [E] [expired: 2025-04-06]
forever:
$ gpg DEB-GPG-KEY-future
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096 2019-04-08 [SC]
D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26
uid Puppet, Inc. Release Key (Puppet, Inc. Release Key) release@puppet.com
sub rsa4096 2019-04-08 [E]

Searching for the D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26 key on public keyservers seems to return the expired key.