public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Nicolas Frey <n.frey@proxmox.com>
To: Shannon Sterz <s.sterz@proxmox.com>
Cc: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH proxmox v5 2/4] fix #5207: apt: check signage of repos with proxmox-pgp
Date: Wed, 29 Oct 2025 14:44:35 +0100	[thread overview]
Message-ID: <aa7667cb-27f8-4d5f-b2a2-0e7338a0a3cd@proxmox.com> (raw)
In-Reply-To: <DDUR1LYIO708.N961J30F5MPH@proxmox.com>

On 10/29/25 11:54 AM, Shannon Sterz wrote:
> nit: signage usually mean physical signs (billboards, traffic signs
> etc.). so the commit subject should probably be
> 
> check signatures of repos with proxmox-pgp
> 
> :)

Ah, I mixed up the meaning here then, thanks!

> 
> On Thu Oct 23, 2025 at 12:39 PM CEST, Nicolas Frey wrote:
>> If POM is set up to mirror the PVE repository and only this repository
>> is added on a PVE host, the `Repositories` panel will show an `Error`
>> status with the message:
>>
>> `No Proxmox VE repository is enabled, you do not get any updates!`
>>
>> This is because the current implementation only checks if the uri of
>> the repo matches that of one of the standard repos.
>>
>> This commit aims to fix this issue by verifying it through signage
>> info via `proxmox-pgp`. The InRelease file cached at
>> `/var/lib/apt/lists/` is used to check whether the package is of
>> Proxmox Origin.
>>
>> Signed-off-by: Nicolas Frey <n.frey@proxmox.com>
>> ---
>>  proxmox-apt/Cargo.toml                     |  1 +
>>  proxmox-apt/src/repositories/repository.rs | 56 ++++++++++++++++++----
>>  2 files changed, 47 insertions(+), 10 deletions(-)
>>
>> diff --git a/proxmox-apt/Cargo.toml b/proxmox-apt/Cargo.toml
>> index e5beb4e6..5a8e25eb 100644
>> --- a/proxmox-apt/Cargo.toml
>> +++ b/proxmox-apt/Cargo.toml
>> @@ -23,6 +23,7 @@ rfc822-like = "0.2.1"
>>  proxmox-apt-api-types.workspace = true
>>  proxmox-config-digest = { workspace = true, features = ["openssl"] }
>>  proxmox-sys.workspace = true
>> +proxmox-pgp.workspace = true
>>
>>  apt-pkg-native = { version = "0.3.2", optional = true }
>>  regex = { workspace = true, optional = true }
>> diff --git a/proxmox-apt/src/repositories/repository.rs b/proxmox-apt/src/repositories/repository.rs
>> index 24e7943b..5e386665 100644
>> --- a/proxmox-apt/src/repositories/repository.rs
>> +++ b/proxmox-apt/src/repositories/repository.rs
>> @@ -2,6 +2,7 @@ use std::io::{BufRead, BufReader, Write};
>>  use std::path::{Path, PathBuf};
>>
>>  use anyhow::{bail, format_err, Error};
>> +use proxmox_pgp::{verify_signature, WeakCryptoConfig};
>>
>>  use crate::repositories::standard::APTRepositoryHandleImpl;
>>  use proxmox_apt_api_types::{
>> @@ -122,21 +123,24 @@ impl APTRepositoryImpl for APTRepository {
>>          product: &str,
>>          suite: &str,
>>      ) -> bool {
>> -        let (package_type, handle_uris, component, _key) = handle.info(product);
>> -
>> -        let mut found_uri = false;
>> -
>> -        for uri in self.uris.iter() {
>> -            let uri = uri.trim_end_matches('/');
>> -
>> -            found_uri = found_uri || handle_uris.iter().any(|handle_uri| handle_uri == uri);
>> -        }
>> +        let (package_type, handle_uris, component, key) = handle.info(product);
>> +
>> +        let found_uri_or_signed = || {
>> +            let mut found = false;
>> +            for uri in self.uris.iter() {
>> +                let uri = uri.trim_end_matches('/');
>> +                found = found
>> +                    || handle_uris.iter().any(|handle_uri| handle_uri == uri)
>> +                    || is_signed_by_key(uri, suite, key);
>> +            }
>> +            found
>> +        };
>>
>>          self.types.contains(&package_type)
>> -            && found_uri
>>              // using contains would require a &String
>>              && self.suites.iter().any(|self_suite| self_suite == suite)
>>              && self.components.contains(&component)
>> +            && found_uri_or_signed()
>>      }
>>
>>      fn origin_from_uris(&self) -> Option<String> {
>> @@ -389,6 +393,38 @@ fn write_stanza(repo: &APTRepository, w: &mut dyn Write) -> Result<(), Error> {
>>      Ok(())
>>  }
>>
>> +/// Reads file contents of cached/local POM InRelease file from uri
>> +/// and key to verify pgp signature
>> +fn is_signed_by_key(uri: &str, suite: &str, key_path: &str) -> bool {
>> +    let data = match std::fs::read(&release_filename(
>> +        Path::new("/var/lib/apt/lists"),
>> +        uri,
>> +        suite,
>> +        false,
>> +    )) {
>> +        Ok(d) => d,
>> +        Err(err) => {
>> +            log::warn!("could not read InRelease file: {err}");
>> +            return false;
>> +        }
>> +    };
>> +
>> +    let key = match std::fs::read(key_path) {
>> +        Ok(k) => k,
>> +        Err(err) => {
>> +            log::warn!("could not read key file '{key_path}': {err}");
>> +            return false;
>> +        }
>> +    };
>> +
>> +    if let Err(e) = verify_signature(&data, &key, None, &WeakCryptoConfig::default()) {
>> +        log::error!("PGP signature verification failed: {e:?}");
>> +        return false;
>> +    }
>> +
>> +    true
>> +}
>> +
>>  #[test]
>>  fn test_uri_to_filename() {
>>      let filename = uri_to_filename("https://some_host/some/path");
> 



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  reply	other threads:[~2025-10-29 13:44 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-23 10:39 [pve-devel] [PATCH proxmox v5 0/4] " Nicolas Frey
2025-10-23 10:39 ` [pve-devel] [PATCH proxmox v5 1/4] add proxmox-pgp subcrate, move POM verifier code to it Nicolas Frey
2025-10-29 10:54   ` Shannon Sterz
2025-10-29 13:44     ` Nicolas Frey
2025-10-29 19:39   ` Thomas Lamprecht
2025-10-23 10:39 ` [pve-devel] [PATCH proxmox v5 2/4] fix #5207: apt: check signage of repos with proxmox-pgp Nicolas Frey
2025-10-23 14:24   ` Nicolas Frey
2025-10-29 10:55   ` Shannon Sterz
2025-10-29 13:44     ` Nicolas Frey [this message]
2025-10-23 10:39 ` [pve-devel] [PATCH proxmox v5 3/4] apt: add tests for POM release filenames Nicolas Frey
2025-10-23 10:39 ` [pve-devel] [PATCH proxmox v5 4/4] apt: check for local POM InRelease as fallback Nicolas Frey
2025-10-29 10:55   ` Shannon Sterz
2025-10-29 13:44     ` Nicolas Frey
2025-10-30 13:30 ` [pve-devel] [PATCH proxmox v5 0/4] fix #5207: apt: check signage of repos with proxmox-pgp Nicolas Frey

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aa7667cb-27f8-4d5f-b2a2-0e7338a0a3cd@proxmox.com \
    --to=n.frey@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    --cc=s.sterz@proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal