From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 719831FF16B
	for <inbox@lore.proxmox.com>; Fri,  7 Nov 2025 11:13:32 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 9F981DA42;
	Fri,  7 Nov 2025 11:14:13 +0100 (CET)
Date: Fri, 07 Nov 2025 11:13:36 +0100
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
References: <20251030132844.188242-1-n.frey@proxmox.com>
In-Reply-To: <20251030132844.188242-1-n.frey@proxmox.com>
MIME-Version: 1.0
User-Agent: astroid/0.17.0 (https://github.com/astroidmail/astroid)
Message-Id: <1762510326.l213rfyx7o.astroid@yuna.none>
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1762510399708
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.048 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH v6 0/4] fix #5207: apt: check signature of
 repos with proxmox-pgp
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

other than the small comments on two of the patches I just sent, this
seems to do the job!

it does somewhat rely on APT internals, but those are unlikely to change
any time soon, and if they do, we just lose a tiny bit of info, so it's
not too grave either..

On October 30, 2025 2:28 pm, Nicolas Frey wrote:
> This patch series moves in pgp verification code from POM into its
> own micro-crate `proxmox-pgp` to reuse it to verify a package is of
> Proxmox Origin, which fixes #5207.
> 
> If this patch series is applied, then `proxmox-offline-mirror` should
> use the `proxmox-pgp` crate.
> 
> The last patch again adds in the local file fallback in case that the
> URI starts with `file://` for (IMO) better UX. I'm fine with this 
> being dropped if it's not desired, though.
> 
> Changes since v5 (thanks @Shannon):
> * changed imports to be module level and correct ordering
> * adjust the signature verification to make it more viable to be in
>     a library by collecting the errors and returning it as one
>     instead of directly printing to `stderr`
> * cleaned up some minor nits
> 
> Changes since v4 (thanks @Thomas for feedback):
> * added `proxmox-pgp` micro-crate and moved code from POM
> * removed reliance on gpgv in favor of now available `verify_signature`
>     function in `proxmox-pgp`
> * removed http(s) fallback for cached InRelease file
> * split up initial patch into smaller commits
> 
> Changes since v3:
> * Moved found_uri_or_signed to function and to the end of bool chain
>     to prevent redundant signage checks to improve performance
> * Added fallback to the cached InRelease file to get it from repos URI
> 
> Changes since v2:
> * correct the mapping in `gpg_signed`
> 
> Changes since v1:
> * rewrite test so it compiles
> 
> Nicolas Frey (4):
>   add proxmox-pgp subcrate, move POM verifier code to it
>   fix #5207: apt: check signature of repos with  proxmox-pgp
>   apt: add tests for POM release filenames
>   apt: check for local POM InRelease as fallback
> 
>  Cargo.toml                                 |   2 +
>  proxmox-apt/Cargo.toml                     |   1 +
>  proxmox-apt/src/repositories/repository.rs |  94 ++++++++--
>  proxmox-pgp/Cargo.toml                     |  17 ++
>  proxmox-pgp/debian/changelog               |   5 +
>  proxmox-pgp/debian/control                 |  40 +++++
>  proxmox-pgp/debian/copyright               |  18 ++
>  proxmox-pgp/debian/debcargo.toml           |   7 +
>  proxmox-pgp/src/lib.rs                     |   5 +
>  proxmox-pgp/src/verifier.rs                | 194 +++++++++++++++++++++
>  10 files changed, 373 insertions(+), 10 deletions(-)
>  create mode 100644 proxmox-pgp/Cargo.toml
>  create mode 100644 proxmox-pgp/debian/changelog
>  create mode 100644 proxmox-pgp/debian/control
>  create mode 100644 proxmox-pgp/debian/copyright
>  create mode 100644 proxmox-pgp/debian/debcargo.toml
>  create mode 100644 proxmox-pgp/src/lib.rs
>  create mode 100644 proxmox-pgp/src/verifier.rs
> 
> -- 
> 2.47.3
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel