From: Nicolas Frey <n.frey@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH proxmox v5 2/4] fix #5207: apt: check signage of repos with proxmox-pgp
Date: Thu, 23 Oct 2025 16:24:36 +0200 [thread overview]
Message-ID: <844b3f32-39cc-4c78-a1d4-5bef9755dee4@proxmox.com> (raw)
In-Reply-To: <20251023103953.305810-3-n.frey@proxmox.com>
On 10/23/25 12:39 PM, Nicolas Frey wrote:
> If POM is set up to mirror the PVE repository and only this repository
> is added on a PVE host, the `Repositories` panel will show an `Error`
> status with the message:
>
> `No Proxmox VE repository is enabled, you do not get any updates!`
>
> This is because the current implementation only checks if the uri of
> the repo matches that of one of the standard repos.
>
> This commit aims to fix this issue by verifying it through signage
> info via `proxmox-pgp`. The InRelease file cached at
> `/var/lib/apt/lists/` is used to check whether the package is of
> Proxmox Origin.
>
forgot to add
Fixes: https://bugzilla.proxmox.com/show_bug.cgi?id=5207
> Signed-off-by: Nicolas Frey <n.frey@proxmox.com>
> ---
> proxmox-apt/Cargo.toml | 1 +
> proxmox-apt/src/repositories/repository.rs | 56 ++++++++++++++++++----
> 2 files changed, 47 insertions(+), 10 deletions(-)
>
> diff --git a/proxmox-apt/Cargo.toml b/proxmox-apt/Cargo.toml
> index e5beb4e6..5a8e25eb 100644
> --- a/proxmox-apt/Cargo.toml
> +++ b/proxmox-apt/Cargo.toml
> @@ -23,6 +23,7 @@ rfc822-like = "0.2.1"
> proxmox-apt-api-types.workspace = true
> proxmox-config-digest = { workspace = true, features = ["openssl"] }
> proxmox-sys.workspace = true
> +proxmox-pgp.workspace = true
>
> apt-pkg-native = { version = "0.3.2", optional = true }
> regex = { workspace = true, optional = true }
> diff --git a/proxmox-apt/src/repositories/repository.rs b/proxmox-apt/src/repositories/repository.rs
> index 24e7943b..5e386665 100644
> --- a/proxmox-apt/src/repositories/repository.rs
> +++ b/proxmox-apt/src/repositories/repository.rs
> @@ -2,6 +2,7 @@ use std::io::{BufRead, BufReader, Write};
> use std::path::{Path, PathBuf};
>
> use anyhow::{bail, format_err, Error};
> +use proxmox_pgp::{verify_signature, WeakCryptoConfig};
>
> use crate::repositories::standard::APTRepositoryHandleImpl;
> use proxmox_apt_api_types::{
> @@ -122,21 +123,24 @@ impl APTRepositoryImpl for APTRepository {
> product: &str,
> suite: &str,
> ) -> bool {
> - let (package_type, handle_uris, component, _key) = handle.info(product);
> -
> - let mut found_uri = false;
> -
> - for uri in self.uris.iter() {
> - let uri = uri.trim_end_matches('/');
> -
> - found_uri = found_uri || handle_uris.iter().any(|handle_uri| handle_uri == uri);
> - }
> + let (package_type, handle_uris, component, key) = handle.info(product);
> +
> + let found_uri_or_signed = || {
> + let mut found = false;
> + for uri in self.uris.iter() {
> + let uri = uri.trim_end_matches('/');
> + found = found
> + || handle_uris.iter().any(|handle_uri| handle_uri == uri)
> + || is_signed_by_key(uri, suite, key);
> + }
> + found
> + };
>
> self.types.contains(&package_type)
> - && found_uri
> // using contains would require a &String
> && self.suites.iter().any(|self_suite| self_suite == suite)
> && self.components.contains(&component)
> + && found_uri_or_signed()
> }
>
> fn origin_from_uris(&self) -> Option<String> {
> @@ -389,6 +393,38 @@ fn write_stanza(repo: &APTRepository, w: &mut dyn Write) -> Result<(), Error> {
> Ok(())
> }
>
> +/// Reads file contents of cached/local POM InRelease file from uri
> +/// and key to verify pgp signature
> +fn is_signed_by_key(uri: &str, suite: &str, key_path: &str) -> bool {
> + let data = match std::fs::read(&release_filename(
> + Path::new("/var/lib/apt/lists"),
> + uri,
> + suite,
> + false,
> + )) {
> + Ok(d) => d,
> + Err(err) => {
> + log::warn!("could not read InRelease file: {err}");
> + return false;
> + }
> + };
> +
> + let key = match std::fs::read(key_path) {
> + Ok(k) => k,
> + Err(err) => {
> + log::warn!("could not read key file '{key_path}': {err}");
> + return false;
> + }
> + };
> +
> + if let Err(e) = verify_signature(&data, &key, None, &WeakCryptoConfig::default()) {
> + log::error!("PGP signature verification failed: {e:?}");
> + return false;
> + }
> +
> + true
> +}
> +
> #[test]
> fn test_uri_to_filename() {
> let filename = uri_to_filename("https://some_host/some/path");
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-10-23 14:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-23 10:39 [pve-devel] [PATCH proxmox v5 0/4] " Nicolas Frey
2025-10-23 10:39 ` [pve-devel] [PATCH proxmox v5 1/4] add proxmox-pgp subcrate, move POM verifier code to it Nicolas Frey
2025-10-23 10:39 ` [pve-devel] [PATCH proxmox v5 2/4] fix #5207: apt: check signage of repos with proxmox-pgp Nicolas Frey
2025-10-23 14:24 ` Nicolas Frey [this message]
2025-10-23 10:39 ` [pve-devel] [PATCH proxmox v5 3/4] apt: add tests for POM release filenames Nicolas Frey
2025-10-23 10:39 ` [pve-devel] [PATCH proxmox v5 4/4] apt: check for local POM InRelease as fallback Nicolas Frey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=844b3f32-39cc-4c78-a1d4-5bef9755dee4@proxmox.com \
--to=n.frey@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.