LXC container download http(s?)

gth871r

New Member
Jul 24, 2021
3
0
1
41
I was attempting to download an LXC container template and noticed that the PVE web gui is using http to do the download. Is it doing some kind of checksum or something to verify the authenticity of the download after the fact?

I'm having trouble getting the download direct to the server to work (I think due to a routing/firewall/security somethinrother) and I was trying to download it on another system and transfer the file over but without https how can I be sure that the file I've downloaded is authentic? Is there a https link that I can use?
 
I was attempting to download an LXC container template and noticed that the PVE web gui is using http to do the download. Is it doing some kind of checksum or something to verify the authenticity of the download after the fact?
Yes, it uses a similar technique that makes Debian/Proxmox package download safe over untrusted mediums.
The container appliance index, which Proxmox VE uses, is signed with our private and safe release GPG key, that gets verified with the public key on every update and cached locally. That index contains the expected hash sums of every available CT appliance files, those can then be checked after a download to ensure integrity and authenticity.

I'm having trouble getting the download direct to the server to work (I think due to a routing/firewall/security somethinrother) and I was trying to download it on another system and transfer the file over but without https how can I be sure that the file I've downloaded is authentic? Is there a https link that I can use?
No, and https adds not actually that much to authenticity, an attacker (e.g., in control of your DNS) could setup a lets encrypted host that would validate and get trusted by the systems CA store just fine and then deliver arbitrary data, as could be a proxy of an ISP or the like.

By relying on the release key the medium does not matter anymore, and we can get a single trust anchor that cannot be messed with locally nor do we need to 100% trust any CDN mirror.

You could configure a proxy (Datacenter -> Options) and configure that for Proxmox VE?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!