Drop expired key

Previously, the module installed and managed two GPG keys

RPM-GPG-KEY-puppet-20250406
RPM-GPG-KEY-puppet

The first expired 20250406, so delete references to that.

The second used to be the "legacy" key that expired 20250102, but it was updated
in dcddb95, so is now the "current" key.

Author: joshcooper

acceptance/helpers.rb

@@ -240,7 +240,7 @@ def set_up_initial_agent_on(host, initial_package_version_or_collection)
           # This discrepancy causes apt to error, so we manually add signing info.
           if %r{debian|ubuntu}.match?(host['platform'])
             step '(Agent) Add apt signing information' do
-              on(host, "sed -e 's/^deb http/deb [signed-by=\\/etc\\/apt\\/keyrings\\/GPG-KEY-puppet-20250406.asc] http/' /etc/apt/sources.list.d/puppet*.list -i")
+              on(host, "sed -e 's/^deb http/deb [signed-by=\\/etc\\/apt\\/keyrings\\/GPG-KEY-puppet.asc] http/' /etc/apt/sources.list.d/puppet*.list -i")
             end
           end
 

docker/upgrade/sles/Dockerfile

@@ -46,7 +46,7 @@ RUN if [[ ${before} == 7.* ]]; then \
     fi
 
 # Install FROM version of puppet-agent.
-RUN rpm --import https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406 && \
+RUN rpm --import https://yum.puppet.com/RPM-GPG-KEY-puppet && \
     zypper install --no-confirm --oldpackage --no-recommends --no-confirm puppet-agent-${before}
 
 # This is also duplicated in the docker/bin/helpers/run-upgrade.sh.

manifests/osfamily/redhat.pp

@@ -94,13 +94,10 @@
     }
 
 # lint:ignore:strict_indent
-    $legacy_keyname = 'GPG-KEY-puppet'
-    $legacy_gpg_path = "/etc/pki/rpm-gpg/RPM-${legacy_keyname}"
-    $keyname = 'GPG-KEY-puppet-20250406'
+    $keyname = 'GPG-KEY-puppet'
     $gpg_path = "/etc/pki/rpm-gpg/RPM-${keyname}"
     $gpg_homedir = '/root/.gnupg'
-    $gpg_keys = "file://${legacy_gpg_path}
-  file://${gpg_path}"
+    $gpg_keys = "file://${gpg_path}"
 
     $script = @(SCRIPT/L)
 ACTION=$0
@@ -131,14 +128,6 @@
       }
     }
 
-    file { $legacy_gpg_path:
-      ensure => file,
-      owner  => 0,
-      group  => 0,
-      mode   => '0644',
-      source => "puppet:///modules/puppet_agent/${legacy_keyname}",
-    }
-
     file { $gpg_path:
       ensure => file,
       owner  => 0,
@@ -147,13 +136,6 @@
       source => "puppet:///modules/puppet_agent/${keyname}",
     }
 
-    exec { "import-${legacy_keyname}":
-      path      => '/bin:/usr/bin:/sbin:/usr/sbin',
-      command   => "/bin/bash -c '${script}' import ${gpg_homedir} ${legacy_gpg_path}",
-      unless    => "/bin/bash -c '${script}' check ${gpg_homedir} ${legacy_gpg_path}",
-      require   => File[$legacy_gpg_path],
-      logoutput => 'on_failure',
-    }
     exec { "import-${keyname}":
       path      => '/bin:/usr/bin:/sbin:/usr/sbin',
       command   => "/bin/bash -c '${script}' import ${gpg_homedir} ${gpg_path}",

manifests/osfamily/suse.pp

@@ -62,9 +62,7 @@
     case $facts['os']['release']['major'] {
       '11', '12', '15': {
         # Import the GPG key
-        $legacy_keyname  = 'GPG-KEY-puppet'
-        $legacy_gpg_path = "/etc/pki/rpm-gpg/RPM-${legacy_keyname}"
-        $keyname         = 'GPG-KEY-puppet-20250406'
+        $keyname         = 'GPG-KEY-puppet'
         $gpg_path        = "/etc/pki/rpm-gpg/RPM-${keyname}"
         $gpg_homedir     = '/root/.gnupg'
 
@@ -105,21 +103,6 @@
           source => "puppet:///modules/puppet_agent/${keyname}",
         }
 
-        file { $legacy_gpg_path:
-          ensure => file,
-          owner  => 0,
-          group  => 0,
-          mode   => '0644',
-          source => "puppet:///modules/puppet_agent/${legacy_keyname}",
-        }
-
-        exec { "import-${legacy_keyname}":
-          path      => '/bin:/usr/bin:/sbin:/usr/sbin',
-          command   => "/bin/bash -c '${script}' import ${gpg_homedir} ${legacy_gpg_path}",
-          unless    => "/bin/bash -c '${script}' check ${gpg_homedir} ${legacy_gpg_path}",
-          require   => File[$legacy_gpg_path],
-          logoutput => 'on_failure',
-        }
         exec { "import-${keyname}":
           path      => '/bin:/usr/bin:/sbin:/usr/sbin',
           command   => "/bin/bash -c '${script}' import ${gpg_homedir} ${gpg_path}",

spec/classes/puppet_agent_osfamily_redhat_spec.rb

@@ -62,17 +62,6 @@
 fi
 SCRIPT
 
-      it {
-        is_expected.to contain_exec('import-GPG-KEY-puppet-20250406')
-          .with({
-                  'path'      => '/bin:/usr/bin:/sbin:/usr/sbin',
-                  'command'   => "/bin/bash -c '#{script}' import /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406",
-                  'unless'    => "/bin/bash -c '#{script}' check /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406",
-                  'require'   => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406]',
-                  'logoutput' => 'on_failure',
-                })
-      }
-
       it {
         is_expected.to contain_exec('import-GPG-KEY-puppet')
           .with({
@@ -103,17 +92,6 @@
         end
       end
 
-      it {
-        is_expected.to contain_file('/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406')
-          .with({
-                  'ensure' => 'file',
-                  'owner'  => '0',
-                  'group'  => '0',
-                  'mode'   => '0644',
-                  'source' => 'puppet:///modules/puppet_agent/GPG-KEY-puppet-20250406',
-                })
-      }
-
       it {
         is_expected.to contain_file('/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet')
           .with({
@@ -154,7 +132,7 @@
                     'baseurl'  => "http://yum.puppet.com/puppet5/#{urlbit.gsub('/f', '/')}/#{arch}",
                     'enabled'  => 'true',
                     'gpgcheck' => '1',
-                    'gpgkey'   => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet\n  file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406",
+                    'gpgkey'   => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet",
                   })
         }
       end
@@ -215,7 +193,7 @@
                     'baseurl'             => "https://master.example.vm:8140/packages/2000.0.0/#{repodir}",
                     'enabled'             => 'true',
                     'gpgcheck'            => '1',
-                    'gpgkey'              => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet\n  file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406",
+                    'gpgkey'              => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet",
                     'sslcacert'           => '/etc/puppetlabs/puppet/ssl/certs/ca.pem',
                     'sslclientcert'       => '/etc/puppetlabs/puppet/ssl/certs/foo.example.vm.pem',
                     'sslclientkey'        => '/etc/puppetlabs/puppet/ssl/private_keys/foo.example.vm.pem',

spec/classes/puppet_agent_osfamily_suse_spec.rb

@@ -82,17 +82,6 @@
                       })
             }
 
-            it {
-              is_expected.to contain_exec('import-GPG-KEY-puppet-20250406')
-                .with({
-                        'path'      => '/bin:/usr/bin:/sbin:/usr/sbin',
-                        'command'   => "/bin/bash -c '#{script}' import /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406",
-                        'unless'    => "/bin/bash -c '#{script}' check /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406",
-                        'require'   => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406]',
-                        'logoutput' => 'on_failure',
-                      })
-            }
-
             context 'with manage_pki_dir => true' do
               ['/etc/pki', '/etc/pki/rpm-gpg'].each do |path|
                 it {
@@ -114,17 +103,6 @@
 
             it { is_expected.to contain_class('puppet_agent::osfamily::suse') }
 
-            it {
-              is_expected.to contain_file('/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406')
-                .with({
-                        'ensure' => 'file',
-                        'owner'  => '0',
-                        'group'  => '0',
-                        'mode'   => '0644',
-                        'source' => 'puppet:///modules/puppet_agent/GPG-KEY-puppet-20250406',
-                      })
-            }
-
             it {
               is_expected.to contain_file('/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet')
                 .with({
@@ -255,17 +233,6 @@
 
             it { is_expected.to contain_class('puppet_agent::osfamily::suse') }
 
-            it {
-              is_expected.to contain_file('/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406')
-                .with({
-                        'ensure' => 'file',
-                        'owner'  => '0',
-                        'group'  => '0',
-                        'mode'   => '0644',
-                        'source' => 'puppet:///modules/puppet_agent/GPG-KEY-puppet-20250406',
-                      })
-            }
-
             it {
               is_expected.to contain_file('/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet')
                 .with({

tasks/install_shell.sh

@@ -728,7 +728,7 @@ case $platform in
           rm -f "$gpg_key"
         done
       else
-        for key in "puppet" "puppet-20250406"; do
+        for key in "puppet"; do
           gpg_key="${tmp_dir}/RPM-GPG-KEY-${key}"
           do_download "https://yum.puppet.com/RPM-GPG-KEY-${key}" "$gpg_key"
           rpm --import "$gpg_key"