From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id D02E51FF179 for ; Wed, 29 Oct 2025 20:39:32 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 4EE4F11AC4; Wed, 29 Oct 2025 20:40:04 +0100 (CET) Message-ID: Date: Wed, 29 Oct 2025 20:39:29 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta From: Thomas Lamprecht To: Proxmox VE development discussion , Nicolas Frey References: <20251023103953.305810-1-n.frey@proxmox.com> <20251023103953.305810-2-n.frey@proxmox.com> Content-Language: en-US In-Reply-To: <20251023103953.305810-2-n.frey@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1761766756420 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.027 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_MSPIKE_H2 0.001 Average reputation (+2) RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH proxmox v5 1/4] add proxmox-pgp subcrate, move POM verifier code to it X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Am 23.10.25 um 12:40 schrieb Nicolas Frey:> Add new micro-crate `proxmox-pgp` for use in `proxmox-apt` to verify > repository signatures. Code is derived from `proxmox-offline-mirror`. > If this patch is applied, then `proxmox-offline-mirror` should use > the `proxmox-pgp` crate. > > For the original development history, see commits related to [0]. > > [0] https://git.proxmox.com/?p=proxmox-offline-mirror.git;a=blob;f=src/helpers/verifier.rs;h=15195a6ec3413ad3c016fffc38f9eee3cefc6827;hb=cd56fab > > Suggested-by: Thomas Lamprecht > Signed-off-by: Nicolas Frey > --- > Cargo.toml | 2 + > proxmox-pgp/Cargo.toml | 17 +++ > proxmox-pgp/debian/changelog | 5 + > proxmox-pgp/debian/control | 40 +++++++ > proxmox-pgp/debian/copyright | 18 +++ > proxmox-pgp/debian/debcargo.toml | 7 ++ > proxmox-pgp/src/lib.rs | 5 + > proxmox-pgp/src/verifier.rs | 200 +++++++++++++++++++++++++++++++ > 8 files changed, 294 insertions(+) > create mode 100644 proxmox-pgp/Cargo.toml > create mode 100644 proxmox-pgp/debian/changelog > create mode 100644 proxmox-pgp/debian/control > create mode 100644 proxmox-pgp/debian/copyright > create mode 100644 proxmox-pgp/debian/debcargo.toml > create mode 100644 proxmox-pgp/src/lib.rs > create mode 100644 proxmox-pgp/src/verifier.rs > diff --git a/proxmox-pgp/src/verifier.rs b/proxmox-pgp/src/verifier.rs > new file mode 100644 > index 00000000..84a15c4c > --- /dev/null > +++ b/proxmox-pgp/src/verifier.rs > @@ -0,0 +1,200 @@ > +use anyhow::{bail, format_err, Error}; > + > +use proxmox_api_macro::api; > +use proxmox_schema::Updater; > +use sequoia_openpgp::{ > + cert::CertParser, > + parse::{ > + stream::{ > + DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationError, > + VerificationHelper, VerifierBuilder, > + }, > + PacketParser, PacketParserResult, Parse, > + }, > + policy::StandardPolicy, > + types::HashAlgorithm, > + Cert, KeyHandle, > +}; > +use serde::{Deserialize, Serialize}; > +use std::io; I cleaned up the import code style a bit in POM yesterday, could you please sync that here if you send a v6 to address Shannon's comment anyway? > + > +#[api( > + properties: { > + "allow-sha1": { > + type: bool, > + default: false, > + optional: true, > + }, > + "min-dsa-key-size": { > + type: u64, > + optional: true, > + }, > + "min-rsa-key-size": { > + type: u64, > + optional: true, > + }, > + }, > +)] > +#[derive(Default, Serialize, Deserialize, Updater, Clone, Debug)] > +#[serde(rename_all = "kebab-case")] > +/// Weak Cryptography Configuration > +pub struct WeakCryptoConfig { > + /// Whether to allow SHA-1 based signatures > + #[serde(default)] > + pub allow_sha1: bool, > + /// Whether to lower the key size cutoff for DSA-based signatures > + #[serde(default)] > + pub min_dsa_key_size: Option, > + /// Whether to lower the key size cutoff for RSA-based signatures > + #[serde(default)] > + pub min_rsa_key_size: Option, > +} > + > +struct Helper<'a> { tiny nit: I know you just copied from the original, but the name is rather a bit to generic. As it's not publicly exported it's not to bad, but such things often leak in other parts of the code nonetheless, so maybe use CertWrapper (just as an idea, feel free to chose a more fitting/telling name yourself). > + cert: &'a Cert, > +} > + > _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel