Installing Jenkins with Puppet fails to import GPG key

Question

I'm trying to install Jenkins with Puppet using the manifests below.

 # init.pp class jenkins { include jenkins::install, jenkins::service } # service.pp class jenkins::service { service { "jenkins": ensure => running, hasstatus => true, hasrestart => true, enable => true, require => Class["jenkins::install"], } } # install.pp class jenkins::install { include jenkins::install::repo include jenkins::install::java package { "jenkins": ensure => present, require => Class['jenkins::install::repo','jenkins::install::java'], } } # install/repo.pp class jenkins::install::repo { file { "/etc/pki/rpm-gpg/jenkins-ci.org.key": owner => root, group => root, mode => 0600, source => "puppet:///jenkins/jenkins-ci.org.key" } yumrepo { "jenkins": baseurl => "http://pkg.jenkins-ci.org/redhat", descr => "Jenkins", enabled => 1, gpgcheck => 1, gpgkey => "file:///etc/pki/rpm-gpg/jenkins-ci.org.key", require => File["/etc/pki/rpm-gpg/jenkins-ci.org.key"] } } # install/java.pp class jenkins::install::java { package { "java-1.6.0-openjdk": ensure => present, } } 

The repo is added and the key written to the file system. However, I get the following error.

 err: /Stage[main]/Jenkins::Install/Package[jenkins]/ensure: change from absent to present failed: Execution of '/usr/bin/yum -d 0 -e 0 -y install jenkins' returned 1: warning: rpmts_HdrFromFdno: Header V4 DSA signature: NOKEY, key ID d50582e6 Traceback (most recent call last): File "/usr/bin/yum", line 29, in ? yummain.user_main(sys.argv[1:], exit_code=True) File "/usr/share/yum-cli/yummain.py", line 309, in user_main errcode = main(args) File "/usr/share/yum-cli/yummain.py", line 261, in main return_code = base.doTransaction() File "/usr/share/yum-cli/cli.py", line 410, in doTransaction if self.gpgsigcheck(downloadpkgs) != 0: File "/usr/share/yum-cli/cli.py", line 510, in gpgsigcheck self.getKeyForPackage(po, lambda x, y, z: self.userconfirm()) File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 3519, in getKeyForPackage keys = self._retrievePublicKey(keyurl, repo) File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 3484, in _retrievePublicKey keys_info = misc.getgpgkeyinfo(rawkey, multiple=True) File "/usr/lib/python2.4/site-packages/yum/misc.py", line 375, in getgpgkeyinfo raise ValueError(str(e)) ValueError: unknown pgp packet type 17 at 706 

This suggests to me that the key isn't being imported successfully, and rpm -qa gpg-pubkey doesn't show the key. If I manually yum install jenkins without the key imported I get the same error. With the key imported, the manual installation succeeds.

I'm successfully installing other yum repos and keys standalone (basically the install/repo.pp manifest as its own module), such as EPEL, but as this repo is only for Jenkins I wanted to include it in my Jenkins module.

Is there something wrong with my manifests? Or some other problem?

UPDATE:

The following manifest results in the jenkins and epel repos being installed, rpm -qa gpg-pub* shows the epel key but not the jenkins key, and git is installed but not jenkins.

 class jenkins { yumrepo {"jenkins": baseurl => "http://pkg.jenkins-ci.org/redhat", descr => "Jenkins", enabled => 1, gpgcheck => 1, gpgkey => "http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key", } package {"jenkins": ensure => latest, require => Yumrepo["jenkins"] } } class git { yumrepo {"epel": baseurl => "http://mirror.aarnet.edu.au/pub/epel/5/i386", descr => "Extra Packages for Enterprise Linux (EPEL)", enabled => 1, gpgcheck => 1, gpgkey => "http://keys.gnupg.net:11371/pks/lookup?search=0x217521F6&op=get", } package {"git": ensure => latest, require => Yumrepo["epel"] } } include jenkins include git 

UPDATE:

Should have included software versions:

• CentOS 5.7
• ruby 1.8.5 (2006-08-25)
• Puppet v2.7.9
• yum-3.2.22
• rpm-4.4.2.3

Answer 1

It appears that rpm has problems importing the Jenkins key because it contains a JPEG image.

https://www.rfc-editor.org/rfc/rfc4880

packet type 17 is an image:

https://www.rfc-editor.org/rfc/rfc4880#section-5.12

 > gpg --list-keys D50582E6 pub 1024D/D50582E6 2009-02-01 uid Kohsuke Kawaguchi uid Kohsuke Kawaguchi uid [jpeg image of size 3704] sub 2048g/10AF40FE 2009-02-01 

It seems that RPM doesn't know what to do with it.

 > sudo rpm --import jenkins-ci.org.key [sudo] password for me: error: jenkins-ci.org.key: import read failed(-1). 

Googling around for any known issues for RPM doesn't turn up anything obvious, but maybe this gives you a direction.

Answer 2

I tested your simplified manifest on:

• CentOS 6.2
• ruby 1.8.7 (2011-06-30 patchlevel 352)
• Puppet v2.7.9
• yum-3.2.29-22.el6
• rpm-4.8.0-19.el6

Both repos are added successfully.

From the error message, it does look like the error message is coming from yum, not puppet or anything else.

Can you provide a similar description of your environment? Probably most important is the version of yum.

Try upgrading it to at least 3.2.29 (latest stable 3.2.x). Changelog is here, references some significant fixes relating to GPG keys.

Answer 3

This is super after-the-fact but here's what I ended up going with:

if ($::operatingsystemmajrelease == '5'){ exec { 'EL5 Jenkins Key Workaround': command => 'rpm --import http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key', unless => "rpm -qa --nodigest --nosignature --qf '%{VERSION}-%{RELEASE} %{SUMMARY}\n' | grep d50582e6", path => ['/bin', '/usr/bin'], } } 

I added a PR to add this workaround to the official module:

https://github.com/jenkinsci/puppet-jenkins/pull/344/files

Longer breakdown here:

http://dan.carley.co/blog/2012/05/22/yum-gpg-keys-for-jenkins/

Answer 4

You will probably need to add and rpm --import <PUBKEY> command in your manifest.

The Exec type reference documentation is here.

Perhaps you can try adding assumeyes=1 to the repo file, together with the gpgkey option this should add the key automatically.