apt: ensure RSA signing key is refreshed instead of old DSA key

olifre · olifre · commit be302d96a425 · 2025-08-11T11:14:15.000+02:00
Upstream has an older dsa1024 signing key and a more recent rsa4096 signing key in place
which is used for new releases.
While both keys are provided via the same source URL, existing systems installed before
the RSA key was added would never fetch that key, as the DSA key never expires and only
that is refreshed via Puppet.

Ensuring the RSA key is refreshed instead of the DSA key ensures that both keys are present
and that the RSA key is added also for existing systems.
diff --git a/manifests/apt.pp b/manifests/apt.pp
@@ -16,7 +16,7 @@
     location       => $repo_base,
     key            => {
       ensure  => refreshed,
-      id      => '70B9890488208E315ED45208230D389D8AE45CE7',
+      id      => 'FD80468D49B3B24C341741FC8CE0A76C497EA957',
       source  => $repo_gpgkey,
     },
     repos          => 'main',
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -307,7 +307,7 @@
             else
               it {
                 is_expected.to contain_apt__source('cvmfs').with_key(
-                  { 'ensure' => 'refreshed', 'id' => '70B9890488208E315ED45208230D389D8AE45CE7', 'source' => 'http://example.org/key.gpg' }
+                  { 'ensure' => 'refreshed', 'id' => 'FD80468D49B3B24C341741FC8CE0A76C497EA957', 'source' => 'http://example.org/key.gpg' }
                 )
               }
             end

Original file line number	Diff line number	Diff line change
`@@ -307,7 +307,7 @@`
`307`	`307`	`else`
`308`	`308`	`it {`
`309`	`309`	`is_expected.to contain_apt__source('cvmfs').with_key(`
`310`		`- { 'ensure' => 'refreshed', 'id' => '70B9890488208E315ED45208230D389D8AE45CE7', 'source' => 'http://example.org/key.gpg' }`
	`310`	`+ { 'ensure' => 'refreshed', 'id' => 'FD80468D49B3B24C341741FC8CE0A76C497EA957', 'source' => 'http://example.org/key.gpg' }`
`311`	`311`	`)`
`312`	`312`	`}`
`313`	`313`	`end`