GPG signature verification fails on download for older PE versions

[reidmv]

Describe the Bug

Puppet changed their signing key in 2020. Therefore, if you try to install a version of PE that predates that signing key being used, the default behavior of peadm::download won't be sufficient to verify it. Because the older signing key won't be installed, which is the key that was used to sign the older package.

Finished: plan peadm::install in 42.17 sec
Failed on pe-lg.puppet.vm:
  The task failed with exit code 1
  Downloading: https://s3.amazonaws.com/pe-builds/released/2019.8.1/puppet-enterprise-2019.8.1-el-7-x86_64.tar.gz.asc
  Temporary file created at: /tmp/tmp.gHYmklkIwi
  Verifying /tmp/puppet-enterprise-2019.8.1-el-7-x86_64.tar.gz...
  Signature verification failed
  Downloading: https://s3.amazonaws.com/pe-builds/released/2019.8.1/puppet-enterprise-2019.8.1-el-7-x86_64.tar.gz
  Temporary file created at: /tmp/tmp.IZxjQVsW9T
  Verifying /tmp/puppet-enterprise-2019.8.1-el-7-x86_64.tar.gz...
  pub   4096R/9E61EF26 2019-04-08 [expires: 2025-04-06]
  uid                  Puppet, Inc. Release Key (Puppet, Inc. Release Key) <[email protected]>
  sub   4096R/9F057A83 2019-04-08 [expires: 2025-04-06]
  
  Signature verification failed
Failed on 1 target: pe-lg.puppet.vm

It works if you pre-install the old key.

gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-key 7F438280EF8D349F

Expected Behavior

The peadm::install plan should run, out of the box, for all supported PE versions. It shouldn't be necessary to perform any special pre-install steps.

Steps to Reproduce

Try to install PE 2019.8.1 on a target that has gpg already installed.

Additional Context

We don't actually care about signature validation by default, we really just wanted digest validation. Suggested solution is to make signature validation opt-in, with options to supply the signing key. By default, don't do gpg validation. It's overkill. See if simple digest validation can be achieved, skip it if not.