Re: [PVE-User] HTTPS for download.proxmox.com

Re: [PVE-User] HTTPS for download.proxmox.com

[proxmox-pve-user-list]

Hi Florent,

> download.proxmox.com packages are signed with key which public part can
> be downloaded on... download.proxmox.com, without https ! Well done.


That's what public keys are made for .. make them public .. https
doesn't change that .. it's used to transport secrets .. secret like the
S in HTTPS

If you want to use https for validation, you're on the wrong trip. You'd
have to personally check the pub key person (you) to person (proxmox key
admin) to be 100% sure about the correctness of the key ..

If the key is not correct and you aren't already hacked by some evil
minions you'll get a failure at package validation request .. or even
earlier on 'apt update'

The only real gain of package/pub-key distribution via https is a felt
security gain.
The real security gain is minimal and more theoretical. (If someone can
compromise you with changed packages _and_ a wrong repo-key then you
have greater problems then that ;) )



Greeting,
Andreas F.


> 
> On 30/11/2017 12:32, Dietmar Maurer wrote:
>> This is why we have an enterprise repository! Please use the enterprise
>> repository 
>> if you want SSL.
>>
>>> On November 30, 2017 at 12:22 PM Florent B <florent@coppint.com> wrote:
>>>
>>>
>>> Up !
>>>
>>>
>>> On 30/05/2017 15:21, Florent B wrote:
>>>> Hi PVE team,
>>>>
>>>> Would it be possible to include "download.proxmox.com" in SSL
>>>> certificate for accessing downloads with HTTPS.
>>>>
>>>> Current certificate is only valid for proxmox.com & enterprise.proxmox.com.
>>>>
>>>> Thank you.
>>>>
>>>> Florent
>>>>
>>>> _______________________________________________
>>>> pve-user mailing list
>>>> pve-user@pve.proxmox.com
>>>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>>> _______________________________________________
>>> pve-user mailing list
>>> pve-user@pve.proxmox.com
>>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
> 
> 
> _______________________________________________
> pve-user mailing list
> pve-user@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user
> 

Re: [PVE-User] HTTPS for download.proxmox.com

[Fabian Grünbichler]

On July 29, 2020 10:50 am, Florent B wrote:
> Hi,
> 
> In 2020, you always consider HTTPS as a privilege for paid users
> (enterprise repo) ?
> 
> download.proxmox.com packages are signed with key which public part can
> be downloaded on... download.proxmox.com, without https ! Well done.

https://git.proxmox.com/?p=proxmox-ve.git;a=tree;f=debian

the trust anchor for regular users is the ISO, which is both available 
for download via HTTPS, and the checksum is also published via HTTPS..