From: Nicolas Frey <n.frey@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH proxmox v5 2/4] fix #5207: apt: check signage of repos with proxmox-pgp
Date: Thu, 23 Oct 2025 16:24:36 +0200 [thread overview]
Message-ID: <844b3f32-39cc-4c78-a1d4-5bef9755dee4@proxmox.com> (raw)
In-Reply-To: <20251023103953.305810-3-n.frey@proxmox.com>
On 10/23/25 12:39 PM, Nicolas Frey wrote:
> If POM is set up to mirror the PVE repository and only this repository
> is added on a PVE host, the `Repositories` panel will show an `Error`
> status with the message:
>
> `No Proxmox VE repository is enabled, you do not get any updates!`
>
> This is because the current implementation only checks if the uri of
> the repo matches that of one of the standard repos.
>
> This commit aims to fix this issue by verifying it through signage
> info via `proxmox-pgp`. The InRelease file cached at
> `/var/lib/apt/lists/` is used to check whether the package is of
> Proxmox Origin.
>
forgot to add
Fixes: https://bugzilla.proxmox.com/show_bug.cgi?id=5207
> Signed-off-by: Nicolas Frey <n.frey@proxmox.com>
> ---
> proxmox-apt/Cargo.toml | 1 +
> proxmox-apt/src/repositories/repository.rs | 56 ++++++++++++++++++----
> 2 files changed, 47 insertions(+), 10 deletions(-)
>
> diff --git a/proxmox-apt/Cargo.toml b/proxmox-apt/Cargo.toml
> index e5beb4e6..5a8e25eb 100644
> --- a/proxmox-apt/Cargo.toml
> +++ b/proxmox-apt/Cargo.toml
> @@ -23,6 +23,7 @@ rfc822-like = "0.2.1"
> proxmox-apt-api-types.workspace = true
> proxmox-config-digest = { workspace = true, features = ["openssl"] }
> proxmox-sys.workspace = true
> +proxmox-pgp.workspace = true
>
> apt-pkg-native = { version = "0.3.2", optional = true }
> regex = { workspace = true, optional = true }
> diff --git a/proxmox-apt/src/repositories/repository.rs b/proxmox-apt/src/repositories/repository.rs
> index 24e7943b..5e386665 100644
> --- a/proxmox-apt/src/repositories/repository.rs
> +++ b/proxmox-apt/src/repositories/repository.rs
> @@ -2,6 +2,7 @@ use std::io::{BufRead, BufReader, Write};
> use std::path::{Path, PathBuf};
>
> use anyhow::{bail, format_err, Error};
> +use proxmox_pgp::{verify_signature, WeakCryptoConfig};
>
> use crate::repositories::standard::APTRepositoryHandleImpl;
> use proxmox_apt_api_types::{
> @@ -122,21 +123,24 @@ impl APTRepositoryImpl for APTRepository {
> product: &str,
> suite: &str,
> ) -> bool {
> - let (package_type, handle_uris, component, _key) = handle.info(product);
> -
> - let mut found_uri = false;
> -
> - for uri in self.uris.iter() {
> - let uri = uri.trim_end_matches('/');
> -
> - found_uri = found_uri || handle_uris.iter().any(|handle_uri| handle_uri == uri);
> - }
> + let (package_type, handle_uris, component, key) = handle.info(product);
> +
> + let found_uri_or_signed = || {
> + let mut found = false;
> + for uri in self.uris.iter() {
> + let uri = uri.trim_end_matches('/');
> + found = found
> + || handle_uris.iter().any(|handle_uri| handle_uri == uri)
> + || is_signed_by_key(uri, suite, key);
> + }
> + found
> + };
>
> self.types.contains(&package_type)
> - && found_uri
> // using contains would require a &String
> && self.suites.iter().any(|self_suite| self_suite == suite)
> && self.components.contains(&component)
> + && found_uri_or_signed()
> }
>
> fn origin_from_uris(&self) -> Option<String> {
> @@ -389,6 +393,38 @@ fn write_stanza(repo: &APTRepository, w: &mut dyn Write) -> Result<(), Error> {
> Ok(())
> }
>
> +/// Reads file contents of cached/local POM InRelease file from uri
> +/// and key to verify pgp signature
> +fn is_signed_by_key(uri: &str, suite: &str, key_path: &str) -> bool {
> + let data = match std::fs::read(&release_filename(
> + Path::new("/var/lib/apt/lists"),
> + uri,
> + suite,
> + false,
> + )) {
> + Ok(d) => d,
> + Err(err) => {
> + log::warn!("could not read InRelease file: {err}");
> + return false;
> + }
> + };
> +
> + let key = match std::fs::read(key_path) {
> + Ok(k) => k,
> + Err(err) => {
> + log::warn!("could not read key file '{key_path}': {err}");
> + return false;
> + }
> + };
> +
> + if let Err(e) = verify_signature(&data, &key, None, &WeakCryptoConfig::default()) {
> + log::error!("PGP signature verification failed: {e:?}");
> + return false;
> + }
> +
> + true
> +}
> +
> #[test]
> fn test_uri_to_filename() {
> let filename = uri_to_filename("https://some_host/some/path");
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-10-23 14:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-23 10:39 [pve-devel] [PATCH proxmox v5 0/4] " Nicolas Frey
2025-10-23 10:39 ` [pve-devel] [PATCH proxmox v5 1/4] add proxmox-pgp subcrate, move POM verifier code to it Nicolas Frey
2025-10-23 10:39 ` [pve-devel] [PATCH proxmox v5 2/4] fix #5207: apt: check signage of repos with proxmox-pgp Nicolas Frey
2025-10-23 14:24 ` Nicolas Frey [this message]
2025-10-23 10:39 ` [pve-devel] [PATCH proxmox v5 3/4] apt: add tests for POM release filenames Nicolas Frey
2025-10-23 10:39 ` [pve-devel] [PATCH proxmox v5 4/4] apt: check for local POM InRelease as fallback Nicolas Frey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=844b3f32-39cc-4c78-a1d4-5bef9755dee4@proxmox.com \
--to=n.frey@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox