* [pve-devel] [PATCH manager 1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures
@ 2025-07-22 12:36 Shannon Sterz
2025-07-22 12:36 ` [pve-devel] [PATCH manager 2/2] apl: make keyring generation output keys as binary again Shannon Sterz
2025-07-22 14:27 ` [pve-devel] applied: [PATCH manager 1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures Thomas Lamprecht
0 siblings, 2 replies; 3+ messages in thread
From: Shannon Sterz @ 2025-07-22 12:36 UTC (permalink / raw)
To: pve-devel
debian trixie based installs don't ship with gpgv so take this
opportunity and use sqv directly. sqv can deal with both armored and
dearmored keys. this has the side-effect of closing #6539. which
occured, due to sequioa dropping the `--binary` option for merging
keys into a keyring and would always output them in an armored
formart. gpgv cannot handle armored keys and would therefore fail to
verify signatures.
while sqv is pre-installed, adding it as an explicit dependency should
still avoid problems if it is removed at some point (like gpgv was).
Closes: #6539
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
PVE/APLInfo.pm | 2 +-
debian/control | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/PVE/APLInfo.pm b/PVE/APLInfo.pm
index 5371ad7ba..433a8ef4b 100644
--- a/PVE/APLInfo.pm
+++ b/PVE/APLInfo.pm
@@ -171,7 +171,7 @@ sub download_aplinfo {
# verify signature
my $trustedkeyring = "/usr/share/doc/pve-manager/trustedkeys.gpg";
- my $cmd = "/usr/bin/gpgv -q --keyring $trustedkeyring $sigfn $tmp";
+ my $cmd = "/usr/bin/sqv --keyring $trustedkeyring $sigfn $tmp";
my $logfunc = sub { logmsg($logfd, "signature verification: $_[0]"); };
eval { run_command($cmd, outfunc => $logfunc, errfunc => $logfunc); };
diff --git a/debian/control b/debian/control
index 8557cb1e3..ffac171c9 100644
--- a/debian/control
+++ b/debian/control
@@ -94,6 +94,7 @@ Depends: apt (>= 1.5~),
qemu-server (>= 9.0.2),
rsync,
spiceterm,
+ sqv,
systemd,
vncterm,
wget,
--
2.47.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
* [pve-devel] [PATCH manager 2/2] apl: make keyring generation output keys as binary again
2025-07-22 12:36 [pve-devel] [PATCH manager 1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures Shannon Sterz
@ 2025-07-22 12:36 ` Shannon Sterz
2025-07-22 14:27 ` [pve-devel] applied: [PATCH manager 1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures Thomas Lamprecht
1 sibling, 0 replies; 3+ messages in thread
From: Shannon Sterz @ 2025-07-22 12:36 UTC (permalink / raw)
To: pve-devel
sequioa dropped the `--binary` flag for keyring generation and only
outputs ascii armored keyrings. so make it dearmor the key afterward
to keep the key format consistent with the file ending (".gpg") again.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
aplinfo/Makefile | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/aplinfo/Makefile b/aplinfo/Makefile
index 1c6b61505..17d61ca74 100644
--- a/aplinfo/Makefile
+++ b/aplinfo/Makefile
@@ -20,7 +20,9 @@ update:
mv aplinfo.dat.tmp aplinfo.dat
trustedkeys.gpg: $(TRUSTED_KEYS)
- sq keyring merge --output $@.tmp $(TRUSTED_KEYS)
+ sq keyring merge --output $(basename $@).asc.tmp $(TRUSTED_KEYS)
+ sq packet dearmor $(basename $@).asc.tmp --output $@.tmp
+ rm $(basename $@).asc.tmp
mv $@.tmp $@
.PHONY: clean
--
2.47.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
* [pve-devel] applied: [PATCH manager 1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures
2025-07-22 12:36 [pve-devel] [PATCH manager 1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures Shannon Sterz
2025-07-22 12:36 ` [pve-devel] [PATCH manager 2/2] apl: make keyring generation output keys as binary again Shannon Sterz
@ 2025-07-22 14:27 ` Thomas Lamprecht
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Lamprecht @ 2025-07-22 14:27 UTC (permalink / raw)
To: pve-devel, Shannon Sterz
On Tue, 22 Jul 2025 14:36:57 +0200, Shannon Sterz wrote:
> debian trixie based installs don't ship with gpgv so take this
> opportunity and use sqv directly. sqv can deal with both armored and
> dearmored keys. this has the side-effect of closing #6539. which
> occured, due to sequioa dropping the `--binary` option for merging
> keys into a keyring and would always output them in an armored
> formart. gpgv cannot handle armored keys and would therefore fail to
> verify signatures.
>
> [...]
Applied, thanks!
[1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures
commit: 15a67b13e7e9b1c06f473fdc62b96f983293e063
[2/2] apl: make keyring generation output keys as binary again
commit: 5034a93f6d6ede028ba53b8a2963a882ba0bafa3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-07-22 14:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-07-22 12:36 [pve-devel] [PATCH manager 1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures Shannon Sterz
2025-07-22 12:36 ` [pve-devel] [PATCH manager 2/2] apl: make keyring generation output keys as binary again Shannon Sterz
2025-07-22 14:27 ` [pve-devel] applied: [PATCH manager 1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.