From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 8C1911FF13A
	for <inbox@lore.proxmox.com>; Wed, 29 Apr 2026 13:43:16 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 97E6F344E;
	Wed, 29 Apr 2026 13:43:13 +0200 (CEST)
Date: Wed, 29 Apr 2026 13:43:06 +0200
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
Subject: Re: [PATCH proxmox-backup 1/2] client: allow skipping signature check
 on previous manifest fetching
To: Christian Ebner <c.ebner@proxmox.com>, pbs-devel@lists.proxmox.com
References: <20260429092847.381438-1-c.ebner@proxmox.com>
	<20260429092847.381438-2-c.ebner@proxmox.com>
In-Reply-To: <20260429092847.381438-2-c.ebner@proxmox.com>
MIME-Version: 1.0
User-Agent: astroid/0.17.0 (https://github.com/astroidmail/astroid)
Message-Id: <1777461594.ctjrr353d8.astroid@yuna.none>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1777462891703
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.054 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: UX4NFXYHIPRDIRLDJBDQ5JTS2MSCT432
X-Message-ID-Hash: UX4NFXYHIPRDIRLDJBDQ5JTS2MSCT432
X-MailFrom: f.gruenbichler@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pbs-devel-owner@lists.proxmox.com>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Subscribe: <mailto:pbs-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pbs-devel-leave@lists.proxmox.com>

On April 29, 2026 11:28 am, Christian Ebner wrote:
> Extends the BackupWriter implementation by a method which allows to
> download the previous manifest from a PBS instance, but skipping the
> signature check even if the backup writer has a crypt_config set.
>=20
> This will be used to silence misleading logs during encrypting push
> sync jobs, by performing the signature check on the call site
> instead.
>=20
> Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
> ---
>  pbs-client/src/backup_writer.rs | 22 +++++++++++++++++++---
>  1 file changed, 19 insertions(+), 3 deletions(-)
>=20
> diff --git a/pbs-client/src/backup_writer.rs b/pbs-client/src/backup_writ=
er.rs
> index 49aff3fdd..ea990dbde 100644
> --- a/pbs-client/src/backup_writer.rs
> +++ b/pbs-client/src/backup_writer.rs
> @@ -735,8 +735,25 @@ impl BackupWriter {
>          })
>      }
> =20
> -    /// Download backup manifest (index.json) of last backup
> +    /// Download backup manifest (index.json) of last backup, checking t=
he signature
> +    /// using the backup writer's crypt config.
>      pub async fn download_previous_manifest(&self) -> Result<BackupManif=
est, Error> {

since we only have two callsites for this (one for each variant ;)), couldn=
't we just switch to

download_previous_manifest(&self, check_signature: bool)

? would make the writer interface a little less bloated..

> +        let manifest =3D self
> +            .download_previous_manifest_without_signature_check()
> +            .await?;
> +
> +        if let Some(crypt_config) =3D &self.crypt_config {
> +            manifest.check_signature(crypt_config)?;
> +        }
> +
> +        Ok(manifest)
> +    }
> +
> +    /// Download backup manifest (index.json) of last backup, but skips =
the signature
> +    /// check by not providing the crypt config when parsing the manifes=
t from the data blob.
> +    pub async fn download_previous_manifest_without_signature_check(
> +        &self,
> +    ) -> Result<BackupManifest, Error> {
>          let mut raw_data =3D Vec::with_capacity(64 * 1024);
> =20
>          let param =3D json!({ "archive-name": MANIFEST_BLOB_NAME.to_stri=
ng() });
> @@ -748,8 +765,7 @@ impl BackupWriter {
>          // no expected digest available
>          let data =3D blob.decode(self.crypt_config.as_ref().map(Arc::as_=
ref), None)?;

pre-existing, but this makes no sense - manifests are never encrypted,
so passing the key here is just misleading?

> =20
> -        let manifest =3D
> -            BackupManifest::from_data(&data[..], self.crypt_config.as_re=
f().map(Arc::as_ref))?;
> +        let manifest =3D BackupManifest::from_data(&data[..], None)?;
> =20
>          Ok(manifest)
>      }
> --=20
> 2.47.3
>=20
>=20
>=20
>=20
>=20
>=20