How to GPG verify the Proxmox iso?

[Stereoscope]

Is it somehow possible to verify the Proxmox ISO download against a signature and public key?

 

[esi_y]

Are you specifically asking about SIGNING or just to verify integrity? You have SHA256 to verify on the web:
https://www.proxmox.com/en/downloads

sha256sum -c <<< "c96ad84eacbbcef299ab8f407f9602f832abb5ceb08a9aa288c1e1164df2da97 proxmox-ve_8.2-2.iso"

If DNSSEC is a thing for you, proxmox.com does not use it, but you rely on Let's Encrypt the fingerprints are not bogus...

 

[Stereoscope]

Asking about signing.

 

[esi_y]

Well apparently there's .asc for the sums to verify signature on:

https://enterprise.proxmox.com/iso/
https://download.proxmox.com/iso/

EDIT: I wonder what's the difference between the two now myself ...

 

[Stereoscope]

1.) Are you getting a security warning trying to open:

https://download.proxmox.com/iso/

? For me it says the connection is not private. The enterprise site works fine.

2.) But all those links have are the iso and the .asc file is just the public key I believe? No signatures.

 

[esi_y]

1.) Are you getting a security warning trying to open:

https://download.proxmox.com/iso/

? For me it says the connection is not private. The enterprise site works fine.

There's a CN mismatch there so the SSL will complain, but beyond that, I feel like it's serving the same directory.

I am NOT staff, I have no idea why it's set up this way either.

2.) But all those links have are the iso and the .asc file is just the public key I believe? No signatures.

No, the .asc file is THE signature of the checksum file. So you would have to verify that signature, upon which you know you have good checksums to check the fingerprints.

The keys seem to be incidentally in: https://enterprise.proxmox.com/debian/

Before you ask, I have no idea if they run a proper keyserver.

 

[Stereoscope]

No, the .asc file is THE signature of the checksum file. So you would have to verify that signature, upon which you know you have good checksums to check the fingerprints.

Oh got you, that makes sense. Thanks.

 

[esi_y]

Oh got you, that makes sense. Thanks.

I just checked, the ASC is valid signed by the proxmox-release-bookworm.gpg key.

 

[esi_y]

So apparently [1] you are supposed to use the download subdomain on plain http. I guess this has to do with sharing a certificate on a CDN.

But that does not really matter much given the next thing you would be doing is verifying signatures on what you got.

What is bizzare is ... that there's no keyserver to get it from to trust?

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_package_repositories

 

[Stereoscope]

Not sure I fully follow but maybe from the manual:

"If you install Proxmox VE from an official ISO image, the key for verification is already installed."?

NM, I follow.

 

[esi_y]

I think they simply do not care for having a keyserver. This is basically unrelated, but it gives you an idea that you are simply supposed to have the key already there ...

https://forum.proxmox.com/threads/question-regarding-proxmox-apt-key-location.107602/#post-483572

Well, but you have your answers ...

 

[Stereoscope]

Yep, many thanks!