Recently the GPG key that Puppet uses for their Debian and Ubuntu repositories expired. When updating package sources this results in a message like:
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://apt.puppetlabs.com noble InRelease: The following signatures were invalid: EXPKEYSIG 4528B6CD9E61EF26 Puppet, Inc. Release Key
And the package source is ignored.
To fix the updated GPG key needs to be installed. First, use apt-key list to double check where the key is sourced from:
# apt-key list
/etc/apt/trusted.gpg
--------------------
pub rsa4096 2017-02-22 [SCEA]
9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88
uid [ unknown] Docker Release (CE deb) <docker@docker.com>
sub rsa4096 2017-02-22 [S]
....
/etc/apt/trusted.gpg.d/puppet8-keyring.gpg
------------------------------------------
pub rsa4096 2013-02-06 [SC] [expired: 2019-02-11]
8735 F5AF 62A9 9A62 8EC1 3377 B8F9 99C0 07BB 6C57
uid [ expired] Puppet Labs Nightly Build Key (Puppet Labs Nightly Build Key) <delivery@puppetlabs.com>
uid [ expired] Puppet Labs Nightly Build Key (Puppet Labs Nightly Build Key) <info@puppetlabs.com>
pub rsa4096 2016-08-18 [SC] [expired: 2021-08-17]
6F6B 1550 9CF8 E59E 6E46 9F32 7F43 8280 EF8D 349F
uid [ expired] Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
pub rsa4096 2019-04-08 [SC] [expired: 2025-04-06]
D681 1ED3 ADEE B844 1AF5 AA8F 4528 B6CD 9E61 EF26
uid [ expired] Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
In this case it is sourced from /etc/apt/trusted.gpg.d/puppet8-keyring.gpg.
The current key is available from the Puppet repository site, https://apt.puppet.com. The direct link is: https://apt.puppet.com/DEB-GPG-KEY-future.
Reokace the existing keyring file with a dearmored key:
curl https://apt.puppet.com/DEB-GPG-KEY-future | \
sudo gpg --dearmor --yes -o /etc/apt/trusted.gpg.d/puppet8-keyring.gpg
The package source should now update.