question regarding proxmox apt key location

[dudleyperkins]

Hello,

i have a question regarding the key for the proxmox repository. I stumpled upon this subject as i was removing all occurrences of "apt-key" (which will be removed in bookworm) in my config-management. I only have the one regarding proxmox left.

-----Explanation
Installing PVE on top of debian, the wiki/docs say to put the key for initial installation here:
/etc/apt/trusted.gpg.d/
after installation, and i assume also on bare-metal-iso-installations, the package "proxmox-archive-keyring" is responsible for keeping that key there (and update it to ensure future updates)

Now for "Third-Party" repos, debian doesn't recommend this anymore, see the debian-wiki for more details. (TLDR: keys there are valid for all configured repos, not just the one you want to use them for)

Advised practice now is:
1. put the key in /usr/share/keyrings/
2. add the [signed-by=/usr/share/keyrings/somename-archive-keyring.gpg] to the corresponding repo-sources-list.

-----Question
Are there any plans of changing the location of the apt key? I mean on a BM-Installation one could argue pve isn't a 3P-repo so no problem the key is added system-wide. On a top-of-debian install it could be interpreted as 3P.

Just wanted to know your thoughts on that matter.

 

[t.lamprecht]

Hi,

sorry for the late reply, this went under the radar here. But as it came up internally again I'll reply here to provide the answer to other possible interested readers.

after installation, and i assume also on bare-metal-iso-installations, the package "proxmox-archive-keyring" is responsible for keeping that key there (and update it to ensure future updates)

Future updates are already ensured as we use new keys for each release with a release specific names.
The only time when this could make problems is if the user created a future key file with some bogus content and then responds with "no" to dpkg/apt asking if it should override this file with the one from the package on update. That is IMO rather unlikely and also self-inflicting.

It also wouldn't improve on security, as if one could manage to swap that key or take it over (unrealistic, being that it's residing on a separate HSM with very limited access) they can also roll out a new archive keyring package. IOW. an attacker with permission to create such a file would have full control over the system already anyway.

2. add the [signed-by=/usr/share/keyrings/somename-archive-keyring.gpg] to the corresponding repo-sources-list.

For third-party repos sure, but we don't consider Proxmox VE (and other Proxmox projects) as just a third-party package, but as their own distro being a Debian derivative.

Are there any plans of changing the location of the apt key? I mean on a BM-Installation one could argue pve isn't a 3P-repo so no problem the key is added system-wide. On a top-of-debian install it could be interpreted as 3P.

Nothing specific planned. If, we'd probably do so on a new major release. But as there aren't any real practical benefits currently, and as we're considering Proxmox VE being a derivative, not a third party, even if switched over from a vanilla Debian, we don't see the acute need.
We'll definitively revisit the thematic once we generated the release key for the next major release, though.

 

[dudleyperkins]

Yes you're right, PVE is definitely more than just some 3P-App, i mean it even comes with it's own kernel etc.

Thank you for your detailed answer.