Installing Jenkins with Puppet fails to import GPG key

Question

I'm trying to install Jenkins with Puppet using the manifests below.

    # init.pp
    class jenkins {
      include jenkins::install, jenkins::service
    }

    # service.pp
    class jenkins::service {
      service { "jenkins":
        ensure     => running,
        hasstatus  => true,
        hasrestart => true,
        enable     => true,
        require    => Class["jenkins::install"],
      }
    }

    # install.pp
    class jenkins::install {
      include jenkins::install::repo
      include jenkins::install::java

      package { "jenkins":
        ensure  => present,
        require => Class['jenkins::install::repo','jenkins::install::java'],
      }
    }

    # install/repo.pp
    class jenkins::install::repo {
      file { "/etc/pki/rpm-gpg/jenkins-ci.org.key":
        owner  => root,
        group  => root,
        mode   => 0600,
        source => "puppet:///jenkins/jenkins-ci.org.key"
      }

      yumrepo { "jenkins":
        baseurl  => "http://pkg.jenkins-ci.org/redhat",
        descr    => "Jenkins",
        enabled  => 1,
        gpgcheck => 1,
        gpgkey   => "file:///etc/pki/rpm-gpg/jenkins-ci.org.key",
        require  => File["/etc/pki/rpm-gpg/jenkins-ci.org.key"]
      }
    }

    # install/java.pp
    class jenkins::install::java {
      package { "java-1.6.0-openjdk":
        ensure => present,
      }
    }

The repo is added and the key written to the file system. However, I get the following error.

    err: /Stage[main]/Jenkins::Install/Package[jenkins]/ensure: change from absent to present failed: Execution of '/usr/bin/yum -d 0 -e 0 -y install jenkins' returned 1: warning: rpmts_HdrFromFdno: Header V4 DSA signature: NOKEY, key ID d50582e6
    Traceback (most recent call last):
      File "/usr/bin/yum", line 29, in ?
        yummain.user_main(sys.argv[1:], exit_code=True)
      File "/usr/share/yum-cli/yummain.py", line 309, in user_main
        errcode = main(args)
      File "/usr/share/yum-cli/yummain.py", line 261, in main
        return_code = base.doTransaction()
      File "/usr/share/yum-cli/cli.py", line 410, in doTransaction
        if self.gpgsigcheck(downloadpkgs) != 0:
      File "/usr/share/yum-cli/cli.py", line 510, in gpgsigcheck
        self.getKeyForPackage(po, lambda x, y, z: self.userconfirm())
      File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 3519, in getKeyForPackage
        keys = self._retrievePublicKey(keyurl, repo)
      File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 3484, in _retrievePublicKey
        keys_info = misc.getgpgkeyinfo(rawkey, multiple=True)
      File "/usr/lib/python2.4/site-packages/yum/misc.py", line 375, in getgpgkeyinfo
        raise ValueError(str(e))
    ValueError: unknown pgp packet type 17 at 706

This suggests to me that the key isn't being imported successfully, and rpm -qa gpg-pubkey doesn't show the key. If I manually yum install jenkins without the key imported I get the same error. With the key imported, the manual installation succeeds.

I'm successfully installing other yum repos and keys standalone (basically the install/repo.pp manifest as its own module), such as EPEL, but as this repo is only for Jenkins I wanted to include it in my Jenkins module.

Is there something wrong with my manifests? Or some other problem?

UPDATE:

The following manifest results in the jenkins and epel repos being installed, rpm -qa gpg-pub* shows the epel key but not the jenkins key, and git is installed but not jenkins.

    class jenkins { 
      yumrepo {"jenkins":
        baseurl  => "http://pkg.jenkins-ci.org/redhat",
        descr    => "Jenkins",
        enabled  => 1,
        gpgcheck => 1,
        gpgkey   => "http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key",
      }
      package {"jenkins":
        ensure  => latest,
        require => Yumrepo["jenkins"]
      }
    }

    class git { 
      yumrepo {"epel":
        baseurl  => "http://mirror.aarnet.edu.au/pub/epel/5/i386",
        descr    => "Extra Packages for Enterprise Linux (EPEL)",
        enabled  => 1,
        gpgcheck => 1,
        gpgkey   => "http://keys.gnupg.net:11371/pks/lookup?search=0x217521F6&op=get",
      }
      package {"git":
        ensure  => latest,
        require => Yumrepo["epel"]
      }
    }

    include jenkins
    include git

UPDATE:

Should have included software versions:

CentOS 5.7
ruby 1.8.5 (2006-08-25)
Puppet v2.7.9
yum-3.2.22
rpm-4.4.2.3

For a workaround, see [this thread on the puppet users list](https://groups.google.com/forum/?fromgroups#!topic/puppet-users/Yxiekm0j1J4) — michaeltwofish, May 08 '12 at 03:35

score 1 · Answer 1 · edited Oct 07 '21 at 06:58

It appears that rpm has problems importing the Jenkins key because it contains a JPEG image.

https://www.rfc-editor.org/rfc/rfc4880

packet type 17 is an image:

https://www.rfc-editor.org/rfc/rfc4880#section-5.12

> gpg --list-keys D50582E6
pub   1024D/D50582E6 2009-02-01
uid                  Kohsuke Kawaguchi 
uid                  Kohsuke Kawaguchi 
uid                  [jpeg image of size 3704]
sub   2048g/10AF40FE 2009-02-01

It seems that RPM doesn't know what to do with it.

> sudo rpm --import jenkins-ci.org.key 
[sudo] password for me: 
error: jenkins-ci.org.key: import read failed(-1).

Googling around for any known issues for RPM doesn't turn up anything obvious, but maybe this gives you a direction.

As I mentioned in the question, I'm able to manually import the key without issue, it's only Puppet that fails to import the key. — michaeltwofish, May 07 '12 at 11:40

score 1 · Answer 2 · answered May 03 '12 at 13:44

1

I tested your simplified manifest on:

CentOS 6.2
ruby 1.8.7 (2011-06-30 patchlevel 352)
Puppet v2.7.9
yum-3.2.29-22.el6
rpm-4.8.0-19.el6

Both repos are added successfully.

From the error message, it does look like the error message is coming from yum, not puppet or anything else.

Can you provide a similar description of your environment? Probably most important is the version of yum.

Try upgrading it to at least 3.2.29 (latest stable 3.2.x). Changelog is here, references some significant fixes relating to GPG keys.

answered May 03 '12 at 13:44

Mike Fiedler

2,162
1
17
34

You're right that the error is coming from yum and just being passed on by Puppet, as I get the same error when I install without importing the key. I definitely should have included version information, especially as my versions are significantly older. I'll update the question to include versions and see if updating yum makes a difference. – michaeltwofish May 07 '12 at 12:14
Thanks, that helps a lot. Have you tried updating yum to the latest version yet? – Mike Fiedler May 07 '12 at 12:21
I ran `yum update yum` and got 3.2.22-39, which still failed in the same way. I'm investigating upgrading yum to 3.2.29 and will report back. – michaeltwofish May 07 '12 at 12:42
It looks like the Centos.Redhat 5.x branch won't go beyond yum 3.2.22, so you might want to ask for a backport from RedHat's Bugzilla. – Mike Fiedler May 07 '12 at 12:54
Thanks again for your help (and super quick responses), I might go with a workaround pure Puppet solution. – michaeltwofish May 07 '12 at 13:23
Or move to CentOS 6.2. ;) It's great. Also, if the questioned is answered, please consider accepting it. – Mike Fiedler May 07 '12 at 14:48
Yeah, I don't have control over the distro (which I think is pretty much the case for anyone one CentOS 5.x :) Though I appreciate the help, I can't really say that your answer was correct because I can't easily upgrade yum enough to see. See the link in my comment on the question for the basis of the workaround I ended up using. – michaeltwofish May 08 '12 at 03:39

score 0 · Answer 3 · edited Apr 21 '20 at 11:07

0

You will probably need to add and rpm --import <PUBKEY> command in your manifest.

The Exec type reference documentation is here.

Perhaps you can try adding assumeyes=1 to the repo file, together with the gpgkey option this should add the key automatically.

edited Apr 21 '20 at 11:07

рüффп

620
1
11
25

answered Apr 27 '12 at 07:02

Bram

1,121
6
9

It seems strange that Puppet manages to import the EPEL key but it has to be done manually with the Jenkins key. – michaeltwofish Apr 29 '12 at 04:20

score 0 · Answer 4 · answered Jul 15 '15 at 12:05

This is super after-the-fact but here's what I ended up going with:

if ($::operatingsystemmajrelease == '5'){
  exec { 'EL5 Jenkins Key Workaround':
    command  => 'rpm --import http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key',
    unless   => "rpm -qa --nodigest --nosignature --qf '%{VERSION}-%{RELEASE} %{SUMMARY}\n' | grep d50582e6",
    path     => ['/bin', '/usr/bin'],
  }
}

I added a PR to add this workaround to the official module:

https://github.com/jenkinsci/puppet-jenkins/pull/344/files

Longer breakdown here:

http://dan.carley.co/blog/2012/05/22/yum-gpg-keys-for-jenkins/

Installing Jenkins with Puppet fails to import GPG key

4 Answers4