The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Recipe for managing apt gpg keys

Note: There are several apt modules on the Puppet Forge that provide an apt::key resource

This puppet definition allows you to import pgp keys into apt.

define apt::key($keyid, $ensure, $keyserver = 'keyserver.ubuntu.com') {
  case $ensure {
    present: {
      exec { "Import $keyid to apt keystore":
        path        => '/bin:/usr/bin',
        environment => 'HOME=/root',
        command     => "gpg --keyserver $keyserver --recv-keys $keyid && gpg --export --armor $keyid | apt-key add -",
        user        => 'root',
        group       => 'root',
        unless      => "apt-key list | grep $keyid",
        logoutput   => on_failure,
      }
    }
    absent:  {
      exec { "Remove $keyid from apt keystore":
        path        => '/bin:/usr/bin',
        environment => 'HOME=/root',
        command     => "apt-key del $keyid",
        user        => 'root',
        group       => 'root',
        onlyif      => "apt-key list | grep $keyid",
      }
    }
    default: {
      fail "Invalid 'ensure' value '$ensure' for apt::key"
    }
  }
}

You can use this definition as follows:

node mynode {
  apt::key { 'KEYID':
    ensure => present,
    keyid  => 'KEYID',
  }
  apt::key { 'UNWANTEDKEYID':
    ensure => absent,
    keyid  => 'UNWANTEDKEYID',
  }
}

If you don’t want to store your keys on a public keyserver you could place them on your own webserver like this (assuming that wget is on all your nodes):

define apt::key($ensure, $apt_key_url = 'http://www.example.com/apt/keys') {
  case $ensure {
    'present': {
      exec { "apt-key present $name":
        command => "/usr/bin/wget -q $apt_key_url/$name -O -|/usr/bin/apt-key add -",
        unless  => "/usr/bin/apt-key list|/bin/grep -c $name",
      }
    }
    'absent': {
      exec { "apt-key absent $name":
        command => "/usr/bin/apt-key del $name",
        onlyif  => "/usr/bin/apt-key list|/bin/grep -c $name",
      }
    }
    default: {
      fail "Invalid 'ensure' value '$ensure' for apt::key"
    }
  }
}

Notes:

  • For some repos, just ‘command => “/usr/bin/wget -q $apt_key_url -O –|/usr/bin/apt-key add –”,’ is enough (without the ‘/$name’)
  • After you add a key using this define, make sure you require an ‘apt-get update’ to be run.

Or you could transport them with a File-Resource to the node before importing them into apt