* [pve-devel] [PATCH manager 1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures
@ 2025-07-22 12:36 Shannon Sterz
2025-07-22 12:36 ` [pve-devel] [PATCH manager 2/2] apl: make keyring generation output keys as binary again Shannon Sterz
2025-07-22 14:27 ` [pve-devel] applied: [PATCH manager 1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures Thomas Lamprecht
0 siblings, 2 replies; 3+ messages in thread
From: Shannon Sterz @ 2025-07-22 12:36 UTC (permalink / raw)
To: pve-devel
debian trixie based installs don't ship with gpgv so take this
opportunity and use sqv directly. sqv can deal with both armored and
dearmored keys. this has the side-effect of closing #6539. which
occured, due to sequioa dropping the `--binary` option for merging
keys into a keyring and would always output them in an armored
formart. gpgv cannot handle armored keys and would therefore fail to
verify signatures.
while sqv is pre-installed, adding it as an explicit dependency should
still avoid problems if it is removed at some point (like gpgv was).
Closes: #6539
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
PVE/APLInfo.pm | 2 +-
debian/control | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/PVE/APLInfo.pm b/PVE/APLInfo.pm
index 5371ad7ba..433a8ef4b 100644
--- a/PVE/APLInfo.pm
+++ b/PVE/APLInfo.pm
@@ -171,7 +171,7 @@ sub download_aplinfo {
# verify signature
my $trustedkeyring = "/usr/share/doc/pve-manager/trustedkeys.gpg";
- my $cmd = "/usr/bin/gpgv -q --keyring $trustedkeyring $sigfn $tmp";
+ my $cmd = "/usr/bin/sqv --keyring $trustedkeyring $sigfn $tmp";
my $logfunc = sub { logmsg($logfd, "signature verification: $_[0]"); };
eval { run_command($cmd, outfunc => $logfunc, errfunc => $logfunc); };
diff --git a/debian/control b/debian/control
index 8557cb1e3..ffac171c9 100644
--- a/debian/control
+++ b/debian/control
@@ -94,6 +94,7 @@ Depends: apt (>= 1.5~),
qemu-server (>= 9.0.2),
rsync,
spiceterm,
+ sqv,
systemd,
vncterm,
wget,
--
2.47.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
* [pve-devel] [PATCH manager 2/2] apl: make keyring generation output keys as binary again
2025-07-22 12:36 [pve-devel] [PATCH manager 1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures Shannon Sterz
@ 2025-07-22 12:36 ` Shannon Sterz
2025-07-22 14:27 ` [pve-devel] applied: [PATCH manager 1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures Thomas Lamprecht
1 sibling, 0 replies; 3+ messages in thread
From: Shannon Sterz @ 2025-07-22 12:36 UTC (permalink / raw)
To: pve-devel
sequioa dropped the `--binary` flag for keyring generation and only
outputs ascii armored keyrings. so make it dearmor the key afterward
to keep the key format consistent with the file ending (".gpg") again.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
aplinfo/Makefile | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/aplinfo/Makefile b/aplinfo/Makefile
index 1c6b61505..17d61ca74 100644
--- a/aplinfo/Makefile
+++ b/aplinfo/Makefile
@@ -20,7 +20,9 @@ update:
mv aplinfo.dat.tmp aplinfo.dat
trustedkeys.gpg: $(TRUSTED_KEYS)
- sq keyring merge --output $@.tmp $(TRUSTED_KEYS)
+ sq keyring merge --output $(basename $@).asc.tmp $(TRUSTED_KEYS)
+ sq packet dearmor $(basename $@).asc.tmp --output $@.tmp
+ rm $(basename $@).asc.tmp
mv $@.tmp $@
.PHONY: clean
--
2.47.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
* [pve-devel] applied: [PATCH manager 1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures
2025-07-22 12:36 [pve-devel] [PATCH manager 1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures Shannon Sterz
2025-07-22 12:36 ` [pve-devel] [PATCH manager 2/2] apl: make keyring generation output keys as binary again Shannon Sterz
@ 2025-07-22 14:27 ` Thomas Lamprecht
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Lamprecht @ 2025-07-22 14:27 UTC (permalink / raw)
To: pve-devel, Shannon Sterz
On Tue, 22 Jul 2025 14:36:57 +0200, Shannon Sterz wrote:
> debian trixie based installs don't ship with gpgv so take this
> opportunity and use sqv directly. sqv can deal with both armored and
> dearmored keys. this has the side-effect of closing #6539. which
> occured, due to sequioa dropping the `--binary` option for merging
> keys into a keyring and would always output them in an armored
> formart. gpgv cannot handle armored keys and would therefore fail to
> verify signatures.
>
> [...]
Applied, thanks!
[1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures
commit: 15a67b13e7e9b1c06f473fdc62b96f983293e063
[2/2] apl: make keyring generation output keys as binary again
commit: 5034a93f6d6ede028ba53b8a2963a882ba0bafa3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-07-22 14:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-07-22 12:36 [pve-devel] [PATCH manager 1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures Shannon Sterz
2025-07-22 12:36 ` [pve-devel] [PATCH manager 2/2] apl: make keyring generation output keys as binary again Shannon Sterz
2025-07-22 14:27 ` [pve-devel] applied: [PATCH manager 1/2] fix #6539: apl: use sqv instead of gpgv to verify signatures Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox