Installing Jenkins with Puppet fails to import GPG key

I'm trying to install Jenkins with Puppet using the manifests below.

    # init.pp
    class jenkins {
      include jenkins::install, jenkins::service
    }

    # service.pp
    class jenkins::service {
      service { "jenkins":
        ensure     => running,
        hasstatus  => true,
        hasrestart => true,
        enable     => true,
        require    => Class["jenkins::install"],
      }
    }

    # install.pp
    class jenkins::install {
      include jenkins::install::repo
      include jenkins::install::java

      package { "jenkins":
        ensure  => present,
        require => Class['jenkins::install::repo','jenkins::install::java'],
      }
    }

    # install/repo.pp
    class jenkins::install::repo {
      file { "/etc/pki/rpm-gpg/jenkins-ci.org.key":
        owner  => root,
        group  => root,
        mode   => 0600,
        source => "puppet:///jenkins/jenkins-ci.org.key"
      }

      yumrepo { "jenkins":
        baseurl  => "http://pkg.jenkins-ci.org/redhat",
        descr    => "Jenkins",
        enabled  => 1,
        gpgcheck => 1,
        gpgkey   => "file:///etc/pki/rpm-gpg/jenkins-ci.org.key",
        require  => File["/etc/pki/rpm-gpg/jenkins-ci.org.key"]
      }
    }

    # install/java.pp
    class jenkins::install::java {
      package { "java-1.6.0-openjdk":
        ensure => present,
      }
    }

The repo is added and the key written to the file system. However, I get the following error.

    err: /Stage[main]/Jenkins::Install/Package[jenkins]/ensure: change from absent to present failed: Execution of '/usr/bin/yum -d 0 -e 0 -y install jenkins' returned 1: warning: rpmts_HdrFromFdno: Header V4 DSA signature: NOKEY, key ID d50582e6
    Traceback (most recent call last):
      File "/usr/bin/yum", line 29, in ?
        yummain.user_main(sys.argv[1:], exit_code=True)
      File "/usr/share/yum-cli/yummain.py", line 309, in user_main
        errcode = main(args)
      File "/usr/share/yum-cli/yummain.py", line 261, in main
        return_code = base.doTransaction()
      File "/usr/share/yum-cli/cli.py", line 410, in doTransaction
        if self.gpgsigcheck(downloadpkgs) != 0:
      File "/usr/share/yum-cli/cli.py", line 510, in gpgsigcheck
        self.getKeyForPackage(po, lambda x, y, z: self.userconfirm())
      File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 3519, in getKeyForPackage
        keys = self._retrievePublicKey(keyurl, repo)
      File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 3484, in _retrievePublicKey
        keys_info = misc.getgpgkeyinfo(rawkey, multiple=True)
      File "/usr/lib/python2.4/site-packages/yum/misc.py", line 375, in getgpgkeyinfo
        raise ValueError(str(e))
    ValueError: unknown pgp packet type 17 at 706

This suggests to me that the key isn't being imported successfully, and rpm -qa gpg-pubkey doesn't show the key. If I manually yum install jenkins without the key imported I get the same error. With the key imported, the manual installation succeeds.

I'm successfully installing other yum repos and keys standalone (basically the install/repo.pp manifest as its own module), such as EPEL, but as this repo is only for Jenkins I wanted to include it in my Jenkins module.

Is there something wrong with my manifests? Or some other problem?

UPDATE:

The following manifest results in the jenkins and epel repos being installed, rpm -qa gpg-pub* shows the epel key but not the jenkins key, and git is installed but not jenkins.

    class jenkins { 
      yumrepo {"jenkins":
        baseurl  => "http://pkg.jenkins-ci.org/redhat",
        descr    => "Jenkins",
        enabled  => 1,
        gpgcheck => 1,
        gpgkey   => "http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key",
      }
      package {"jenkins":
        ensure  => latest,
        require => Yumrepo["jenkins"]
      }
    }

    class git { 
      yumrepo {"epel":
        baseurl  => "http://mirror.aarnet.edu.au/pub/epel/5/i386",
        descr    => "Extra Packages for Enterprise Linux (EPEL)",
        enabled  => 1,
        gpgcheck => 1,
        gpgkey   => "http://keys.gnupg.net:11371/pks/lookup?search=0x217521F6&op=get",
      }
      package {"git":
        ensure  => latest,
        require => Yumrepo["epel"]
      }
    }

    include jenkins
    include git

UPDATE:

Should have included software versions:

CentOS 5.7
ruby 1.8.5 (2006-08-25)
Puppet v2.7.9
yum-3.2.22
rpm-4.4.2.3

Best Answer

It appears that rpm has problems importing the Jenkins key because it contains a JPEG image.

https://www.rfc-editor.org/rfc/rfc4880

packet type 17 is an image:

https://www.rfc-editor.org/rfc/rfc4880#section-5.12

> gpg --list-keys D50582E6
pub   1024D/D50582E6 2009-02-01
uid                  Kohsuke Kawaguchi 
uid                  Kohsuke Kawaguchi 
uid                  [jpeg image of size 3704]
sub   2048g/10AF40FE 2009-02-01

It seems that RPM doesn't know what to do with it.

> sudo rpm --import jenkins-ci.org.key 
[sudo] password for me: 
error: jenkins-ci.org.key: import read failed(-1).

Googling around for any known issues for RPM doesn't turn up anything obvious, but maybe this gives you a direction.

Best Answer

Related Solutions

Jenkins CI fails to initialise

Invalid parameter for defined type

Related Topic