During installation of some older versions of Puppet Enterprise on Debian, Ubuntu, and SLES 15 nodes, a failure might occur when PE packages are being added to the system. The GPG key bundled with PE versions prior to 2019.8.4 expired on 17 August 2021. The expired key causes PE installation to fail on Debian, Ubuntu, and SLES 15 nodes.
Note: While PE 2019.8 is still supported, we recommend updating to the latest patch release to resolve this issue. Versions older than PE 2019.8 are end of life and are no longer eligible for security updates and bug fixes. If you are using an end-of-life version, we encourage you to plan an upgrade to a mainstream supported version.
Error messages and logs
When installing, the error and warning messages are logged to one of two locations:
|Node type||Method of installation||Logged to|
Debian and Ubuntu error message:
W: GPG error: ./ Release: The following signatures were invalid: KEYEXPIRED 1629234366 ... WARNING: The following packages cannot be authenticated! <LIST OF PACKAGES> E: There are problems and -y was used without --force-yes
SLES 15 error message:
Warning: The gpg key signing file 'repomd.xml' has expired. Repository: puppet-enterprise Key Name: Puppet, Inc. Release Key (Puppet, Inc. Release Key) <email@example.com> Key Fingerprint: 6F6B1550 9CF8E59E 6E469F32 7F438280 EF8D349F Key Created: Thu 18 Aug 2016 10:06:06 PM BST Key Expires: Tue 17 Aug 2021 10:06:06 PM BST (EXPIRED) Rpm Name: gpg-pubkey-ef8d349f-57b6233e Signature verification failed for file 'repomd.xml' from repository 'puppet-enterprise'.
Version and installation information
PE version: 2016.4.0 to 2019.8.4
OS: Debian, Ubuntu, SLES 15
To resolve the error, update the key. After completing these steps, If you upgrade to any version of PE prior to 2019.8.4, you must complete the steps in this article again to resolve the issue.
When installing Ubuntu infrastructure nodes
Import the updated GPG key and then run the
GPG-KEY-puppetfile attached at the bottom of this article.
On PE infrastructure nodes, import it to your apt keyring.
apt-key add GPG-KEY-puppet
Continue with PE installation by running
When installing Debian, Ubuntu, or SLES 15 agent nodes
If you’re using the
pe_repo module to install agents, you can use these steps to update the GPG key used by the
GPG-KEY-puppetfile attached at the bottom of this article. Copy it to the primary server.
Copy the key to the
cp GPG-KEY-puppet \ /opt/puppetlabs/puppet/modules/pe_repo/files/GPG-KEY-puppet cp GPG-KEY-puppet \ /opt/puppetlabs/server/data/environments/enterprise/modules/pe_repo/files/GPG-KEY-puppet
On each PE infrastructure node, update the
install.bashscript by running
puppet agent -t.
If you have a replica, complete these steps on the replica to ensure that
install.bash is not reverted during replica failover or promotion.
Note: If you’re using a package manager or your own script to install agents, you must distribute the key to each agent via other means.