Am 17.07.25 um 10:00 schrieb Shannon Sterz: > so they better match the repository defintions above
tiny typo: definitions > Signed-off-by: Shannon Sterz <s.st...@proxmox.com> > --- > pve-package-repos.adoc | 14 ++++++++------ > 1 file changed, 8 insertions(+), 6 deletions(-) > > diff --git a/pve-package-repos.adoc b/pve-package-repos.adoc > index 063bc6f..4af8a51 100644 > --- a/pve-package-repos.adoc > +++ b/pve-package-repos.adoc > @@ -269,24 +269,26 @@ the key with the following commands: > > ---- > # wget https://enterprise.proxmox.com/debian/proxmox-release-trixie.gpg -O > - /etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg > + /usr/share/keyrings/proxmox-archive-keyring.gpg > ---- > > Verify the checksum afterwards with the `sha512sum` CLI tool: > > ---- > -# sha512sum /etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg > -7da6fe34168adc6e479327ba517796d4702fa2f8b4f0a9833f5ea6e6b48f6507a6da403a274fe201595edc86a84463d50383d07f64bdde2e3658108db7d6dc87 > -/etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg > +# sha512sum /usr/share/keyrings/proxmox-archive-keyring.gpg > + > 8678f2327c49276615288d7ca11e7d296bc8a2b96946fe565a9c81e533f9b15a5dbbad210a0ad5cd46d361ff1d3c4bac55844bc296beefa4f88b86e44e69fa51 > +/usr/share/keyrings/proxmox-archive-keyring.gpg But that will change with the next key ring change, e.g. once a new key for a future release gets added or an oldoldstable release key is dropped. Switching to /user still makes sense, in the long run /etc might even get fully deprecated. We either could stay using the per-release key files, which are also available in /usr, or, for a slightly bigger change, switch to the `sq keyring list` output–or some other fitting command of it. As some sq tools are now used by core debian packaging tools like apt, it' be relatively safe to use here IMO. For example: # sq keyring list /usr/share/keyrings/proxmox-archive-keyring.gpg 0. F4E136C67CDCE41AE6DE6FC81140AF8F639E0C39 Proxmox Bookworm Release Key <proxmox-rele...@proxmox.com> 1. 24B30F06ECC1836A4E5EFECBA7BCD1420BFE778E Proxmox Trixie Release Key <proxmox-rele...@proxmox.com> Could be combined with the per-release hash sums, and if we change this I'd be a tiny bit in favor of switching sha512sum to sha256sum, as I don't think we or users gain much security, longer strings aren't easier to compare and sha256sum is still very much state of the art and deemed as unfeasible to break, IIRC. > ---- > > or the `md5sum` CLI tool: > > ---- > -# md5sum /etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg > -41558dc019ef90bd0f6067644a51cf5b > /etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg > +# md5sum /usr/share/keyrings/proxmox-archive-keyring.gpg > +c94e3775fbafec13fec20f981db61e93 > /usr/share/keyrings/proxmox-archive-keyring.gpg > ---- > > +NOTE: Make sure the path you install the key to matches the `Signed-By:` > lines > +in your repository stanzas. > > ifdef::wiki[] > _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
