PVE no subscription repository signing?

C

CGC

New Member
May 25, 2023
19
3
3
How does one get the signing key for this repository?

deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription

Tried both of these:

wget https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg
wget https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg

This is what's in /etc/apt/trusted.gpg.d/

-rw-r--r-- 1 root root 1187 Nov 27 2022 proxmox-release-bookworm.gpg
-rw-r--r-- 1 root root 1187 Dec 14 2020 proxmox-release-bullseye.gpg
-rw-r--r-- 1 root root 1202 May 23 2019 proxmox-ve-release-6.x.gpg
-rw-r--r-- 1 root root 0 Nov 25 05:15 proxmox-ve-release-7.x.gpg
-rw-r--r-- 1 root root 0 Nov 25 05:16 proxmox-ve-release-8.x.gpg

There is nothing useful in here:

https://pve.proxmox.com/wiki/Package_Repositories

The system I am working on has Proxmox 8.0.3, and I looked a this:

https://myproxmox:8006/#v1:0:=node/r421:4:=aptrepositories::::::

I removed Proxmox things from /etc/apt/sources.list.d/, refreshed the interface, manually added both the Proxmox and Ceph repos from the graphical interface. Now it finally does apt update && apt upgrade without complaints. Is this really how things are supposed to be done? I understand this is a whole major release, and getting everything into the web interface is OK, I guess ... but the lack of a clear command line method to do this is troubling.

So if this really IS the right thing, someone should go through the documentation immediate and add some clarifications.
 
Your title says "No Subscription" but you want to use the "Subscription" repo.

Do you have a subscription now or not?
 
sb-jw said:
Your title says "No Subscription" but you want to use the "Subscription" repo.

Do you have a subscription now or not?
Click to expand...
No subscription and the only reason it says Subscription in the body is that those are the only keys mentioned in terms of command line updates. I tried replacing the "enterprise" in the URL, that doesn't work. It remains a mystery as to how one would accomplish this just from the command line.

Stated another way - this is for subscribers:

https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg

Where are the keys for the non-subscription users?
 
It looks like the pve-no-subscription repository can't be used because the website https://download.proxmox.com uses an invalid ssl certificate.

It should be possible to use this repo by forcing apt to trust it by specifying
deb [trusted=yes] http://download.proxmox.com/debian/pve bookworm pve-no-subscription

but for a product that's supposed to be secure and reliable, it's a bad showcase if the installation documentation doesn't work and the repository website isn't trustworthy.
 
kasto said:
It looks like the pve-no-subscription repository can't be used because the website https://download.proxmox.com uses an invalid ssl certificate.

It should be possible to use this repo by forcing apt to trust it by specifying
deb [trusted=yes] http://download.proxmox.com/debian/pve bookworm pve-no-subscription

but for a product that's supposed to be secure and reliable, it's a bad showcase if the installation documentation doesn't work and the repository website isn't trustworthy.
Click to expand...
It works fine here. Maybe it's something at your end? What ISP are you using? What does ping -c3 download.proxmox.com return?
 
download.proxmox.com can be reached fine, but the problem is that the server certificate is wrong. You can verify this by clicking on the url in my post with your any browser.

This causes the secure apt update to fail and forces everyone to use the unsecure apt download, which works only with the [trusted=yes] option that is missing in the documentation.

The licensed repository has the correct ssl certificate by the way, but can't be used for evaluation as in my case.
 
Check the docs, the no-subscription repo doesn't use https but plain http.
deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
 
  • Like
Reactions: Dunuin
We already had this discussion. The staff doesn't think a proper SSL certificate is needed as the packages are already signed to ensure authenticity. The Enterprise repo only got that https because of some technical reasons, I can't remember anymore, that require it.
 
Dunuin, you may be right from a technical standpoint. But from a marketing standpoint, using a wrong certificate on a website and providing no apt signing key is like putting a sign in the shop window, saying "we don't care about certificates".

Please don't get me wrong, I was just starting evaluating Proxmox as an alternative to our ESXi servers and spent hours just to get past the apt signing hurdles because we have a policy of allowing only https repositories. This was not a good first impression, and I was about to give up.

Now that Proxmox VE is finally running, I am absolutely excited from what I have seen so far. So my personal advice would be: publish an apt signing key and a working https repository. Not because it is absolutely necessary from a technical standpoint, but to show potential customers that you care about security and product quality.
 
kasto said:
and providing no apt signing key
Click to expand...
Yesterday downloading that apt key was working fine. And you download it via https from the enterprise repo, so the authenticity of the key is verified and that key then verfies those packages from the unencrypted repo page. So technically there is a valid chain of trust.
But yes, I agree...having only selfsigned certificates isn't great for the image if you want to look secure/trustworthy to customers.
 
You must log in or register to reply here.
Top Bottom