EPEL GPG Key

[TJM]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: puppet-agent-5.3.5-1.el7.x86_64
• Ruby: ruby 2.4.3p205 (2017-12-14 revision 61247) [x86_64-linux]
• Distribution: CentOS Linux release 7.4.1708 (Core)
• Module version: 2.2.1

How to reproduce (e.g Puppet code you use)

include ::yum

package { 'rootsh':
  ensure => installed,
}

yum::managed_repos:
  - epel

What are you seeing

Error: /Stage[main]/Profile::Davita_base::Rootsh/Package[rootsh]/ensure: change from 'purged' to 'present' failed: Execution of '/bin/yum -d 0 -e 0 -y install rootsh' returned 1: warning: /var/cache/yum/x86_64/7/epel/packages/rootsh-1.5.3-17.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY


GPG key retrieval failed: [Errno 14] curl#37 - "Couldn't open file /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7"

What behaviour did you expect instead

I expected the package to be installed ;)

Output log

see error above

Any additional information you'd like to impart

The GPG key should be somehow included?

Workaround

You can manually install the GPG Key file with the following puppet code:

# Linux Software Repository Servers
# For RedHat family: https://forge.puppet.com/puppet/yum
class profile::linux::software (
  Boolean $purge = true,
  Hash $rpm_gpg_keys = {},
) {

  case $facts['os']['family'] {
    'RedHat': {
      include ::yum
      # Purge?
      resources { 'yumrepo':
        purge => $purge,
      }
      # GPG Keys
      create_resources('yum::gpgkey', $rpm_gpg_keys)
      # Resource ordering
      Yumrepo <| |> -> Yum::Gpgkey <| |> -> Package <| provider != 'rpm' |>
    }
    default: { notify { "profile::linux::software does not support osfamily: ${facts['os']['family']}": } }
  }
}

... and the following yaml:

yum::managed_repos:
  - epel

profile::linux::software::rpm_gpg_keys:
  /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7:
    content: |
      -----BEGIN PGP PUBLIC KEY BLOCK-----
      Version: GnuPG v1.4.11 (GNU/Linux)

      mQINBFKuaIQBEAC1UphXwMqCAarPUH/ZsOFslabeTVO2pDk5YnO96f+rgZB7xArB
      OSeQk7B90iqSJ85/c72OAn4OXYvT63gfCeXpJs5M7emXkPsNQWWSju99lW+AqSNm
      jYWhmRlLRGl0OO7gIwj776dIXvcMNFlzSPj00N2xAqjMbjlnV2n2abAE5gq6VpqP
      vFXVyfrVa/ualogDVmf6h2t4Rdpifq8qTHsHFU3xpCz+T6/dGWKGQ42ZQfTaLnDM
      jToAsmY0AyevkIbX6iZVtzGvanYpPcWW4X0RDPcpqfFNZk643xI4lsZ+Y2Er9Yu5
      S/8x0ly+tmmIokaE0wwbdUu740YTZjCesroYWiRg5zuQ2xfKxJoV5E+Eh+tYwGDJ
      n6HfWhRgnudRRwvuJ45ztYVtKulKw8QQpd2STWrcQQDJaRWmnMooX/PATTjCBExB
      9dkz38Druvk7IkHMtsIqlkAOQMdsX1d3Tov6BE2XDjIG0zFxLduJGbVwc/6rIc95
      T055j36Ez0HrjxdpTGOOHxRqMK5m9flFbaxxtDnS7w77WqzW7HjFrD0VeTx2vnjj
      GqchHEQpfDpFOzb8LTFhgYidyRNUflQY35WLOzLNV+pV3eQ3Jg11UFwelSNLqfQf
      uFRGc+zcwkNjHh5yPvm9odR1BIfqJ6sKGPGbtPNXo7ERMRypWyRz0zi0twARAQAB
      tChGZWRvcmEgRVBFTCAoNykgPGVwZWxAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMB
      AgAiBQJSrmiEAhsPBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBqL66iNSxk
      5cfGD/4spqpsTjtDM7qpytKLHKruZtvuWiqt5RfvT9ww9GUUFMZ4ZZGX4nUXg49q
      ixDLayWR8ddG/s5kyOi3C0uX/6inzaYyRg+Bh70brqKUK14F1BrrPi29eaKfG+Gu
      MFtXdBG2a7OtPmw3yuKmq9Epv6B0mP6E5KSdvSRSqJWtGcA6wRS/wDzXJENHp5re
      9Ism3CYydpy0GLRA5wo4fPB5uLdUhLEUDvh2KK//fMjja3o0L+SNz8N0aDZyn5Ax
      CU9RB3EHcTecFgoy5umRj99BZrebR1NO+4gBrivIfdvD4fJNfNBHXwhSH9ACGCNv
      HnXVjHQF9iHWApKkRIeh8Fr2n5dtfJEF7SEX8GbX7FbsWo29kXMrVgNqHNyDnfAB
      VoPubgQdtJZJkVZAkaHrMu8AytwT62Q4eNqmJI1aWbZQNI5jWYqc6RKuCK6/F99q
      thFT9gJO17+yRuL6Uv2/vgzVR1RGdwVLKwlUjGPAjYflpCQwWMAASxiv9uPyYPHc
      ErSrbRG0wjIfAR3vus1OSOx3xZHZpXFfmQTsDP7zVROLzV98R3JwFAxJ4/xqeON4
      vCPFU6OsT3lWQ8w7il5ohY95wmujfr6lk89kEzJdOTzcn7DBbUru33CQMGKZ3Evt
      RjsC7FDbL017qxS+ZVA/HGkyfiu4cpgV8VUnbql5eAZ+1Ll6Dw==
      =hdPa
      -----END PGP PUBLIC KEY BLOCK-----

[TJM]

I have a few possible ideas...

• While there is a yum::gpgkey defined type, there should be a yum::gpgkeys parameter to the yum class that handles the creation of the resources. That way the data can be kept in hiera and not require a wrapper class to run "create_resources()" or the $gpgkeys.each equivalent.
• There maybe could be a way to add the GPG key content directly with the "repo" so that if a repo is 'managed' the GPG Key will be added to the system. However in many cases, I have noticed that a GPG key is used across several repos, so...
• It could be setup like the repos / managed_repo, where if a key in $gpgkeys is a member of managed_gpgkeys (or managed_repos), it will be added? (I am liking this option)
• The "OS" GPG keys are installed by OS packages. We could install "epel-release" (at least on CentOS) so long as it is installed before the epel repo is created, but then each time it updates, it would overwrite the repo file and need to be fixed during the next puppet run, potentially causing issues. -- not liking this one

Looking into this... Does anyone else have any opinions/ideas?

[TJM]

As I don't think anyone gets notified by "edits" to an existing post. I have been deliberating with myself (verbally) :p ... and think this might be the best choice:

Add a parameter yum::gpgkeys that would be setup similar to the repos / managed_repo, where if a key in $gpgkeys is a member of managed_gpgkeys (or managed_repos), it will be added.

Any thoughts?