From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 763841FF17E for ; Thu, 30 Oct 2025 14:30:22 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id DB9E821729; Thu, 30 Oct 2025 14:30:56 +0100 (CET) Message-ID: <344a3e99-4cf1-4f84-bec6-fc1129bf982a@proxmox.com> Date: Thu, 30 Oct 2025 14:30:24 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: pve-devel@lists.proxmox.com References: <20251023103953.305810-1-n.frey@proxmox.com> Content-Language: en-US From: Nicolas Frey In-Reply-To: <20251023103953.305810-1-n.frey@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1761831010515 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.807 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_MSPIKE_H2 0.001 Average reputation (+2) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH proxmox v5 0/4] fix #5207: apt: check signage of repos with proxmox-pgp X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Superseded-by: https://lore.proxmox.com/pve-devel/20251030132844.188242-1-n.frey@proxmox.com/T/#t On 10/23/25 12:39 PM, Nicolas Frey wrote: > This patch series moves in pgp verification code from POM into its > own micro-crate `proxmox-pgp` to reuse it to verify a package is of > Proxmox Origin, which fixes #5207. > > If this patch series is applied, then `proxmox-offline-mirror` should > use the `proxmox-pgp` crate. > > The last patch again adds in the local file fallback in case that the > URI starts with `file://` for (IMO) better UX. I'm fine with this > being dropped if it's not desired, though. > > Changes since v4 (thanks @Thomas for feedback): > * added `proxmox-pgp` micro-crate and moved code from POM > * removed reliance on gpgv in favor of now available `verify_signature` > function in `proxmox-pgp` > * removed http(s) fallback for cached InRelease file > * split up initial patch into smaller commits > > Changes since v3: > * Moved found_uri_or_signed to function and to the end of bool chain > to prevent redundant signage checks to improve performance > * Added fallback to the cached InRelease file to get it from repos URI > > Changes since v2: > * correct the mapping in `gpg_signed` > > Changes since v1: > * rewrite test so it compiles > > Nicolas Frey (4): > add proxmox-pgp subcrate, move POM verifier code to it > fix #5207: apt: check signage of repos with proxmox-pgp > apt: add tests for POM release filenames > apt: check for local POM InRelease as fallback > > Cargo.toml | 2 + > proxmox-apt/Cargo.toml | 1 + > proxmox-apt/src/repositories/repository.rs | 94 ++++++++-- > proxmox-pgp/Cargo.toml | 17 ++ > proxmox-pgp/debian/changelog | 5 + > proxmox-pgp/debian/control | 40 +++++ > proxmox-pgp/debian/copyright | 18 ++ > proxmox-pgp/debian/debcargo.toml | 7 + > proxmox-pgp/src/lib.rs | 5 + > proxmox-pgp/src/verifier.rs | 200 +++++++++++++++++++++ > 10 files changed, 379 insertions(+), 10 deletions(-) > create mode 100644 proxmox-pgp/Cargo.toml > create mode 100644 proxmox-pgp/debian/changelog > create mode 100644 proxmox-pgp/debian/control > create mode 100644 proxmox-pgp/debian/copyright > create mode 100644 proxmox-pgp/debian/debcargo.toml > create mode 100644 proxmox-pgp/src/lib.rs > create mode 100644 proxmox-pgp/src/verifier.rs > _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel