stretch signed-by key in /etc/apt
We have a deb [signed-by=${archive_key}] but since stretch you can't dump a key in /etc/apt/trusted.d/ anymore, so the leap repo wasn't getting validated. the keys inside puppet and the debian package (leap-archive-keyring) aren't identical, but that doesn't seem to be relevant.