From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 6E7431FF165 for ; Thu, 23 Oct 2025 16:24:14 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 33433C2BF; Thu, 23 Oct 2025 16:24:40 +0200 (CEST) Message-ID: <844b3f32-39cc-4c78-a1d4-5bef9755dee4@proxmox.com> Date: Thu, 23 Oct 2025 16:24:36 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: pve-devel@lists.proxmox.com References: <20251023103953.305810-1-n.frey@proxmox.com> <20251023103953.305810-3-n.frey@proxmox.com> From: Nicolas Frey Content-Language: en-US In-Reply-To: <20251023103953.305810-3-n.frey@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1761229468911 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.850 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH proxmox v5 2/4] fix #5207: apt: check signage of repos with proxmox-pgp X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" On 10/23/25 12:39 PM, Nicolas Frey wrote: > If POM is set up to mirror the PVE repository and only this repository > is added on a PVE host, the `Repositories` panel will show an `Error` > status with the message: > > `No Proxmox VE repository is enabled, you do not get any updates!` > > This is because the current implementation only checks if the uri of > the repo matches that of one of the standard repos. > > This commit aims to fix this issue by verifying it through signage > info via `proxmox-pgp`. The InRelease file cached at > `/var/lib/apt/lists/` is used to check whether the package is of > Proxmox Origin. > forgot to add Fixes: https://bugzilla.proxmox.com/show_bug.cgi?id=5207 > Signed-off-by: Nicolas Frey > --- > proxmox-apt/Cargo.toml | 1 + > proxmox-apt/src/repositories/repository.rs | 56 ++++++++++++++++++---- > 2 files changed, 47 insertions(+), 10 deletions(-) > > diff --git a/proxmox-apt/Cargo.toml b/proxmox-apt/Cargo.toml > index e5beb4e6..5a8e25eb 100644 > --- a/proxmox-apt/Cargo.toml > +++ b/proxmox-apt/Cargo.toml > @@ -23,6 +23,7 @@ rfc822-like = "0.2.1" > proxmox-apt-api-types.workspace = true > proxmox-config-digest = { workspace = true, features = ["openssl"] } > proxmox-sys.workspace = true > +proxmox-pgp.workspace = true > > apt-pkg-native = { version = "0.3.2", optional = true } > regex = { workspace = true, optional = true } > diff --git a/proxmox-apt/src/repositories/repository.rs b/proxmox-apt/src/repositories/repository.rs > index 24e7943b..5e386665 100644 > --- a/proxmox-apt/src/repositories/repository.rs > +++ b/proxmox-apt/src/repositories/repository.rs > @@ -2,6 +2,7 @@ use std::io::{BufRead, BufReader, Write}; > use std::path::{Path, PathBuf}; > > use anyhow::{bail, format_err, Error}; > +use proxmox_pgp::{verify_signature, WeakCryptoConfig}; > > use crate::repositories::standard::APTRepositoryHandleImpl; > use proxmox_apt_api_types::{ > @@ -122,21 +123,24 @@ impl APTRepositoryImpl for APTRepository { > product: &str, > suite: &str, > ) -> bool { > - let (package_type, handle_uris, component, _key) = handle.info(product); > - > - let mut found_uri = false; > - > - for uri in self.uris.iter() { > - let uri = uri.trim_end_matches('/'); > - > - found_uri = found_uri || handle_uris.iter().any(|handle_uri| handle_uri == uri); > - } > + let (package_type, handle_uris, component, key) = handle.info(product); > + > + let found_uri_or_signed = || { > + let mut found = false; > + for uri in self.uris.iter() { > + let uri = uri.trim_end_matches('/'); > + found = found > + || handle_uris.iter().any(|handle_uri| handle_uri == uri) > + || is_signed_by_key(uri, suite, key); > + } > + found > + }; > > self.types.contains(&package_type) > - && found_uri > // using contains would require a &String > && self.suites.iter().any(|self_suite| self_suite == suite) > && self.components.contains(&component) > + && found_uri_or_signed() > } > > fn origin_from_uris(&self) -> Option { > @@ -389,6 +393,38 @@ fn write_stanza(repo: &APTRepository, w: &mut dyn Write) -> Result<(), Error> { > Ok(()) > } > > +/// Reads file contents of cached/local POM InRelease file from uri > +/// and key to verify pgp signature > +fn is_signed_by_key(uri: &str, suite: &str, key_path: &str) -> bool { > + let data = match std::fs::read(&release_filename( > + Path::new("/var/lib/apt/lists"), > + uri, > + suite, > + false, > + )) { > + Ok(d) => d, > + Err(err) => { > + log::warn!("could not read InRelease file: {err}"); > + return false; > + } > + }; > + > + let key = match std::fs::read(key_path) { > + Ok(k) => k, > + Err(err) => { > + log::warn!("could not read key file '{key_path}': {err}"); > + return false; > + } > + }; > + > + if let Err(e) = verify_signature(&data, &key, None, &WeakCryptoConfig::default()) { > + log::error!("PGP signature verification failed: {e:?}"); > + return false; > + } > + > + true > +} > + > #[test] > fn test_uri_to_filename() { > let filename = uri_to_filename("https://some_host/some/path"); _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel