all lists on lists.proxmox.com
 help / color / mirror / Atom feed
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
	Shannon Sterz <s.sterz@proxmox.com>
Subject: Re: [pve-devel] [PATCH docs] package-repos: update key file path and hashes
Date: Thu, 17 Jul 2025 10:47:48 +0200	[thread overview]
Message-ID: <333dc9a0-9060-48dd-b84e-cd145fae083a@proxmox.com> (raw)
In-Reply-To: <20250717080006.57716-1-s.sterz@proxmox.com>

Am 17.07.25 um 10:00 schrieb Shannon Sterz:
> so they better match the repository defintions above

tiny typo: definitions

> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>  pve-package-repos.adoc | 14 ++++++++------
>  1 file changed, 8 insertions(+), 6 deletions(-)
> 
> diff --git a/pve-package-repos.adoc b/pve-package-repos.adoc
> index 063bc6f..4af8a51 100644
> --- a/pve-package-repos.adoc
> +++ b/pve-package-repos.adoc
> @@ -269,24 +269,26 @@ the key with the following commands:
>  
>  ----
>   # wget https://enterprise.proxmox.com/debian/proxmox-release-trixie.gpg -O
> - /etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg
> + /usr/share/keyrings/proxmox-archive-keyring.gpg
>  ----
>  
>  Verify the checksum afterwards with the `sha512sum` CLI tool:
>  
>  ----
> -# sha512sum /etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg
> -7da6fe34168adc6e479327ba517796d4702fa2f8b4f0a9833f5ea6e6b48f6507a6da403a274fe201595edc86a84463d50383d07f64bdde2e3658108db7d6dc87
> -/etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg
> +# sha512sum /usr/share/keyrings/proxmox-archive-keyring.gpg
> + 8678f2327c49276615288d7ca11e7d296bc8a2b96946fe565a9c81e533f9b15a5dbbad210a0ad5cd46d361ff1d3c4bac55844bc296beefa4f88b86e44e69fa51
> +/usr/share/keyrings/proxmox-archive-keyring.gpg

But that will change with the next key ring change, e.g. once a new key for a
future release gets added or an oldoldstable release key is dropped.

Switching to /user still makes sense, in the long run /etc might even
get fully deprecated.  

We either could stay using the per-release key files, which are also available
in /usr, or, for a slightly bigger change, switch to the `sq keyring list`
output–or some other fitting command of it.

As some sq tools are now used by core debian packaging tools like apt, it'
be relatively safe to use here IMO.

For example:

# sq keyring list /usr/share/keyrings/proxmox-archive-keyring.gpg 
0. F4E136C67CDCE41AE6DE6FC81140AF8F639E0C39 Proxmox Bookworm Release Key <proxmox-release@proxmox.com>
1. 24B30F06ECC1836A4E5EFECBA7BCD1420BFE778E Proxmox Trixie Release Key <proxmox-release@proxmox.com>


Could be combined with the per-release hash sums, and if we change this I'd
be a tiny bit in favor of switching sha512sum to sha256sum, as I don't think
we or users gain much security, longer strings aren't easier to compare and
sha256sum is still very much state of the art and deemed as unfeasible to break,
IIRC.

>  ----
>  
>  or the `md5sum` CLI tool:
>  
>  ----
> -# md5sum /etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg
> -41558dc019ef90bd0f6067644a51cf5b /etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg
> +# md5sum /usr/share/keyrings/proxmox-archive-keyring.gpg
> +c94e3775fbafec13fec20f981db61e93 /usr/share/keyrings/proxmox-archive-keyring.gpg
>  ----
>  
> +NOTE: Make sure the path you install the key to matches the `Signed-By:` lines
> +in your repository stanzas.
>  
>  ifdef::wiki[]
>  



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

  reply	other threads:[~2025-07-17  8:47 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-17  8:00 Shannon Sterz
2025-07-17  8:47 ` Thomas Lamprecht [this message]
     [not found]   ` <DBE7TU91ASCT.197OWIL2T5KAJ@proxmox.com>
2025-07-17  9:38     ` Thomas Lamprecht
2025-07-17 10:33       ` Shannon Sterz
2025-07-17 11:55         ` Thomas Lamprecht
2025-07-17 10:34 Shannon Sterz
2025-07-18  8:38 Shannon Sterz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=333dc9a0-9060-48dd-b84e-cd145fae083a@proxmox.com \
    --to=t.lamprecht@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    --cc=s.sterz@proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal