From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 17F401FF13A for ; Wed, 29 Apr 2026 11:29:05 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id E2C2725157; Wed, 29 Apr 2026 11:29:03 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox-backup 2/2] sync: push: gracefully handle previous manifest signature mismatches Date: Wed, 29 Apr 2026 11:28:47 +0200 Message-ID: <20260429092847.381438-3-c.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260429092847.381438-1-c.ebner@proxmox.com> References: <20260429092847.381438-1-c.ebner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1777454842547 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.071 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [push.rs] Message-ID-Hash: JNH5LJD2PR7CQD7XJWC2T6RZYGOOBITJ X-Message-ID-Hash: JNH5LJD2PR7CQD7XJWC2T6RZYGOOBITJ X-MailFrom: c.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: During push sync jobs with a given active encryption key, the key is loaded for the backup writer, used to encrypt the source snapshot on the fly. As optimization, the backup writer deduplicates chunks already present in the previous snapshot by loading them from the index files. If the previous backup snapshot in the same group (on the remote target) is however encrypted or signed using a different key, the signature check will fail, logging a rather alerting signature mismatch, which is however benign. Improve the logging behaviour by loading the manifest without implicit signature check, check it on the call site and log a more telling `Skip chunk deduplication from previous manifest`, as that is the intended behaviour for this case. Signed-off-by: Christian Ebner --- src/server/push.rs | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/src/server/push.rs b/src/server/push.rs index dac62c84a..f4b68701d 100644 --- a/src/server/push.rs +++ b/src/server/push.rs @@ -1131,8 +1131,28 @@ pub(crate) async fn push_snapshot( let mut previous_manifest = None; // Use manifest of previous snapshots in group on target for chunk upload deduplication if fetch_previous_manifest { - match backup_writer.download_previous_manifest().await { - Ok(manifest) => previous_manifest = Some(Arc::new(manifest)), + match backup_writer + .download_previous_manifest_without_signature_check() + .await + { + Ok(manifest) => { + if let Some((_id, crypt_config)) = &encrypt_using_key { + if manifest.check_signature(crypt_config).is_ok() { + previous_manifest = Some(Arc::new(manifest)); + } else { + log_sender + .log( + Level::INFO, + format!( + "{prefix}: Skip chunk deduplication from previous manifest" + ), + ) + .await? + } + } else { + previous_manifest = Some(Arc::new(manifest)); + } + } Err(err) => { log_sender .log( -- 2.47.3