public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
	Shannon Sterz <s.sterz@proxmox.com>
Subject: Re: [pve-devel] [PATCH docs] package-repos: update key file path and hashes
Date: Thu, 17 Jul 2025 10:47:48 +0200	[thread overview]
Message-ID: <333dc9a0-9060-48dd-b84e-cd145fae083a@proxmox.com> (raw)
In-Reply-To: <20250717080006.57716-1-s.sterz@proxmox.com>

Am 17.07.25 um 10:00 schrieb Shannon Sterz:
> so they better match the repository defintions above

tiny typo: definitions

> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>  pve-package-repos.adoc | 14 ++++++++------
>  1 file changed, 8 insertions(+), 6 deletions(-)
> 
> diff --git a/pve-package-repos.adoc b/pve-package-repos.adoc
> index 063bc6f..4af8a51 100644
> --- a/pve-package-repos.adoc
> +++ b/pve-package-repos.adoc
> @@ -269,24 +269,26 @@ the key with the following commands:
>  
>  ----
>   # wget https://enterprise.proxmox.com/debian/proxmox-release-trixie.gpg -O
> - /etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg
> + /usr/share/keyrings/proxmox-archive-keyring.gpg
>  ----
>  
>  Verify the checksum afterwards with the `sha512sum` CLI tool:
>  
>  ----
> -# sha512sum /etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg
> -7da6fe34168adc6e479327ba517796d4702fa2f8b4f0a9833f5ea6e6b48f6507a6da403a274fe201595edc86a84463d50383d07f64bdde2e3658108db7d6dc87
> -/etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg
> +# sha512sum /usr/share/keyrings/proxmox-archive-keyring.gpg
> + 8678f2327c49276615288d7ca11e7d296bc8a2b96946fe565a9c81e533f9b15a5dbbad210a0ad5cd46d361ff1d3c4bac55844bc296beefa4f88b86e44e69fa51
> +/usr/share/keyrings/proxmox-archive-keyring.gpg

But that will change with the next key ring change, e.g. once a new key for a
future release gets added or an oldoldstable release key is dropped.

Switching to /user still makes sense, in the long run /etc might even
get fully deprecated.  

We either could stay using the per-release key files, which are also available
in /usr, or, for a slightly bigger change, switch to the `sq keyring list`
output–or some other fitting command of it.

As some sq tools are now used by core debian packaging tools like apt, it'
be relatively safe to use here IMO.

For example:

# sq keyring list /usr/share/keyrings/proxmox-archive-keyring.gpg 
0. F4E136C67CDCE41AE6DE6FC81140AF8F639E0C39 Proxmox Bookworm Release Key <proxmox-release@proxmox.com>
1. 24B30F06ECC1836A4E5EFECBA7BCD1420BFE778E Proxmox Trixie Release Key <proxmox-release@proxmox.com>


Could be combined with the per-release hash sums, and if we change this I'd
be a tiny bit in favor of switching sha512sum to sha256sum, as I don't think
we or users gain much security, longer strings aren't easier to compare and
sha256sum is still very much state of the art and deemed as unfeasible to break,
IIRC.

>  ----
>  
>  or the `md5sum` CLI tool:
>  
>  ----
> -# md5sum /etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg
> -41558dc019ef90bd0f6067644a51cf5b /etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg
> +# md5sum /usr/share/keyrings/proxmox-archive-keyring.gpg
> +c94e3775fbafec13fec20f981db61e93 /usr/share/keyrings/proxmox-archive-keyring.gpg
>  ----
>  
> +NOTE: Make sure the path you install the key to matches the `Signed-By:` lines
> +in your repository stanzas.
>  
>  ifdef::wiki[]
>  



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

  reply	other threads:[~2025-07-17  8:47 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-17  8:00 Shannon Sterz
2025-07-17  8:47 ` Thomas Lamprecht [this message]
     [not found]   ` <DBE7TU91ASCT.197OWIL2T5KAJ@proxmox.com>
2025-07-17  9:38     ` Thomas Lamprecht
2025-07-17 10:33       ` Shannon Sterz
2025-07-17 11:55         ` Thomas Lamprecht
2025-07-17 10:34 Shannon Sterz
2025-07-18  8:38 Shannon Sterz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=333dc9a0-9060-48dd-b84e-cd145fae083a@proxmox.com \
    --to=t.lamprecht@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    --cc=s.sterz@proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal