From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id CC9351FF146
	for <inbox@lore.proxmox.com>; Tue, 28 Apr 2026 12:01:57 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id A0C5BDB63;
	Tue, 28 Apr 2026 12:01:57 +0200 (CEST)
Message-ID: <6b7f22e1-1c34-424d-bd7b-2d185c4a09d2@proxmox.com>
Date: Tue, 28 Apr 2026 12:01:50 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird Beta
Subject: Re: [PATCH proxmox-backup] pull: decrypt: set and check
 change-detection-fingerprint
To: =?UTF-8?Q?Fabian_Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>,
 pbs-devel@lists.proxmox.com
References: <20260428094437.596604-1-f.gruenbichler@proxmox.com>
Content-Language: en-US
From: Dominik Csapak <d.csapak@proxmox.com>
In-Reply-To: <20260428094437.596604-1-f.gruenbichler@proxmox.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1777370414432
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.051 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: WRA7APWOQLBIW7HCP7EUAY37SHQXND4A
X-Message-ID-Hash: WRA7APWOQLBIW7HCP7EUAY37SHQXND4A
X-MailFrom: d.csapak@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pbs-devel-owner@lists.proxmox.com>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Subscribe: <mailto:pbs-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pbs-devel-leave@lists.proxmox.com>

LGTM, not deep enough into the sync code currently to give
a full r-b though..

so:

Tested-by: Dominik Csapak <d.csapak@proxmox.com>

On 4/28/26 11:43 AM, Fabian Grünbichler wrote:
> when decrypt-pulling a snapshot that was not created by encrypt-pushing, but by
> a regular encrypted backup, resyncing requires matching the local plain text
> manifest and the remote encrypted one.
> 
> in addition to storing a signature of the plain manifest when encrypt-pushing,
> store the already existing signature of the encrypted source manifest when
> decrypt-pulling, but only use it for matching if the former does not exist.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
>   src/server/pull.rs | 23 +++++++++++++++++++++--
>   1 file changed, 21 insertions(+), 2 deletions(-)
> 
> diff --git a/src/server/pull.rs b/src/server/pull.rs
> index 4a41ea7da..c519ed5d8 100644
> --- a/src/server/pull.rs
> +++ b/src/server/pull.rs
> @@ -21,8 +21,8 @@ use tokio::io::AsyncWriteExt;
>   
>   use pbs_api_types::{
>       print_store_and_ns, ArchiveType, Authid, BackupArchiveName, BackupDir, BackupGroup,
> -    BackupNamespace, CryptMode, GroupFilter, Operation, RateLimitConfig, Remote, SnapshotListItem,
> -    VerifyState, CLIENT_LOG_BLOB_NAME, MANIFEST_BLOB_NAME, MAX_NAMESPACE_DEPTH,
> +    BackupNamespace, CryptMode, Fingerprint, GroupFilter, Operation, RateLimitConfig, Remote,
> +    SnapshotListItem, VerifyState, CLIENT_LOG_BLOB_NAME, MANIFEST_BLOB_NAME, MAX_NAMESPACE_DEPTH,
>       PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_BACKUP,
>   };
>   use pbs_client::BackupRepository;
> @@ -878,6 +878,11 @@ async fn pull_snapshot<'a>(
>               bail!("Encountered unexpected manifest without 'unprotected' section.");
>           }
>   
> +        if let Some(expected) = &manifest.signature {
> +            let expected: Fingerprint = expected.parse().with_context(|| prefix.clone())?;
> +            new_manifest.set_change_detection_fingerprint(expected.bytes())?;
> +        }
> +
>           let manifest_string = new_manifest.to_string(None)?;
>           let manifest_blob = DataBlob::encode(manifest_string.as_bytes(), None, true)?;
>           // update contents to be uploaded to backend
> @@ -1021,6 +1026,20 @@ async fn optionally_use_decryption_key(
>               } else {
>                   bail!("Change detection fingerprint mismatch, refuse to continue!");
>               }
> +        } else if let Some(source_signature) = existing_manifest
> +            .get_change_detection_fingerprint()
> +            .context("failed to parse change detection fingerprint of existing target manifest")
> +            .with_context(|| prefix.clone())?
> +        {
> +            let Some(expected) = &manifest.signature else {
> +                bail!("No signature on source manifest.");
> +            };
> +            let expected: Fingerprint = expected.parse().with_context(|| prefix.clone())?;
> +            if expected == source_signature {
> +                skip_resync = true;
> +            } else {
> +                bail!("Change detection fingerprint mismatch, refuse to continue!");
> +            }
>           } else {
>               bail!("No change detection fingerprint found, refuse to continue!");
>           }