From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id CFA341FF165 for ; Thu, 23 Oct 2025 12:39:35 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id ABE716F4C; Thu, 23 Oct 2025 12:40:00 +0200 (CEST) From: Nicolas Frey To: pve-devel@lists.proxmox.com Date: Thu, 23 Oct 2025 12:39:51 +0200 Message-ID: <20251023103953.305810-3-n.frey@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20251023103953.305810-1-n.frey@proxmox.com> References: <20251023103953.305810-1-n.frey@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.036 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH proxmox v5 2/4] fix #5207: apt: check signage of repos with proxmox-pgp X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" If POM is set up to mirror the PVE repository and only this repository is added on a PVE host, the `Repositories` panel will show an `Error` status with the message: `No Proxmox VE repository is enabled, you do not get any updates!` This is because the current implementation only checks if the uri of the repo matches that of one of the standard repos. This commit aims to fix this issue by verifying it through signage info via `proxmox-pgp`. The InRelease file cached at `/var/lib/apt/lists/` is used to check whether the package is of Proxmox Origin. Signed-off-by: Nicolas Frey --- proxmox-apt/Cargo.toml | 1 + proxmox-apt/src/repositories/repository.rs | 56 ++++++++++++++++++---- 2 files changed, 47 insertions(+), 10 deletions(-) diff --git a/proxmox-apt/Cargo.toml b/proxmox-apt/Cargo.toml index e5beb4e6..5a8e25eb 100644 --- a/proxmox-apt/Cargo.toml +++ b/proxmox-apt/Cargo.toml @@ -23,6 +23,7 @@ rfc822-like = "0.2.1" proxmox-apt-api-types.workspace = true proxmox-config-digest = { workspace = true, features = ["openssl"] } proxmox-sys.workspace = true +proxmox-pgp.workspace = true apt-pkg-native = { version = "0.3.2", optional = true } regex = { workspace = true, optional = true } diff --git a/proxmox-apt/src/repositories/repository.rs b/proxmox-apt/src/repositories/repository.rs index 24e7943b..5e386665 100644 --- a/proxmox-apt/src/repositories/repository.rs +++ b/proxmox-apt/src/repositories/repository.rs @@ -2,6 +2,7 @@ use std::io::{BufRead, BufReader, Write}; use std::path::{Path, PathBuf}; use anyhow::{bail, format_err, Error}; +use proxmox_pgp::{verify_signature, WeakCryptoConfig}; use crate::repositories::standard::APTRepositoryHandleImpl; use proxmox_apt_api_types::{ @@ -122,21 +123,24 @@ impl APTRepositoryImpl for APTRepository { product: &str, suite: &str, ) -> bool { - let (package_type, handle_uris, component, _key) = handle.info(product); - - let mut found_uri = false; - - for uri in self.uris.iter() { - let uri = uri.trim_end_matches('/'); - - found_uri = found_uri || handle_uris.iter().any(|handle_uri| handle_uri == uri); - } + let (package_type, handle_uris, component, key) = handle.info(product); + + let found_uri_or_signed = || { + let mut found = false; + for uri in self.uris.iter() { + let uri = uri.trim_end_matches('/'); + found = found + || handle_uris.iter().any(|handle_uri| handle_uri == uri) + || is_signed_by_key(uri, suite, key); + } + found + }; self.types.contains(&package_type) - && found_uri // using contains would require a &String && self.suites.iter().any(|self_suite| self_suite == suite) && self.components.contains(&component) + && found_uri_or_signed() } fn origin_from_uris(&self) -> Option { @@ -389,6 +393,38 @@ fn write_stanza(repo: &APTRepository, w: &mut dyn Write) -> Result<(), Error> { Ok(()) } +/// Reads file contents of cached/local POM InRelease file from uri +/// and key to verify pgp signature +fn is_signed_by_key(uri: &str, suite: &str, key_path: &str) -> bool { + let data = match std::fs::read(&release_filename( + Path::new("/var/lib/apt/lists"), + uri, + suite, + false, + )) { + Ok(d) => d, + Err(err) => { + log::warn!("could not read InRelease file: {err}"); + return false; + } + }; + + let key = match std::fs::read(key_path) { + Ok(k) => k, + Err(err) => { + log::warn!("could not read key file '{key_path}': {err}"); + return false; + } + }; + + if let Err(e) = verify_signature(&data, &key, None, &WeakCryptoConfig::default()) { + log::error!("PGP signature verification failed: {e:?}"); + return false; + } + + true +} + #[test] fn test_uri_to_filename() { let filename = uri_to_filename("https://some_host/some/path"); -- 2.47.3 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel