[pve-devel] [PATCH kernel] install release keys in a saner way
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Feb 21 10:24:25 CET 2017
apt actually expects single exported keys in the trusted
directory, not keyrings. recent gpg2 versions (like that in
Debian Stretch) switch to a different default keyring format
which apt does not handle at all, so the old hack will break
soon.
by changing the key format in this repository from armored
exported public key to binary exported public key, which
both apt in Debian Jessie and apt in Debian Stretch
understand, we can just install those two files directly
in the trusted dir.
bonus: the package content does not change based on gpg
version or configuration anymore.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
CC: dietmar at proxmox.com
CC: w.bumiller at proxmox.com
---
the keys were generated by:
* importing the keys using the old format (gpg2 --import)
* deleting the unneeded encryption subkey from the 4.x key (gpg2 --edit-key)
* re-exporting each key with "gpg2 --export 0xFINGERPRINT > OUTPUTFILE"
comparinging the previous .pubkey files' contents with those of their new
counter-parts shows they are identical except for the dropped subkey. this
can be verified using "pgpdump" or "gpg2 --list-packets"
I am really looking forward to finally retiring that 4.x key BTW ;)
Makefile | 7 ++-----
proxmox-ve/postinst | 3 +++
proxmox-ve/proxmox-release-4.x.pubkey | Bin 1702 -> 570 bytes
proxmox-ve/proxmox-release-5.x.pubkey | Bin 1698 -> 1181 bytes
4 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/Makefile b/Makefile
index ed7e307..e7edb76 100644
--- a/Makefile
+++ b/Makefile
@@ -90,10 +90,6 @@ LINUX_TOOLS_DEB=${LINUX_TOOLS_PKG}_${KERNEL_VER}-${PKGREL}_amd64.deb
DEBS=${DST_DEB} ${HDR_DEB} ${FW_DEB} ${PVE_DEB} ${VIRTUAL_HDR_DEB} ${LINUX_TOOLS_DEB}
-PVE_RELEASE_KEYS= \
- proxmox-ve/proxmox-release-4.x.pubkey \
- proxmox-ve/proxmox-release-5.x.pubkey
-
all: check_gcc ${DEBS}
${PVE_DEB} pve: proxmox-ve/control proxmox-ve/postinst ${PVE_RELEASE_KEYS}
@@ -101,7 +97,8 @@ ${PVE_DEB} pve: proxmox-ve/control proxmox-ve/postinst ${PVE_RELEASE_KEYS}
mkdir -p proxmox-ve/data/DEBIAN
mkdir -p proxmox-ve/data/usr/share/doc/${PVEPKG}/
mkdir -p proxmox-ve/data/etc/apt/trusted.gpg.d
- gpg2 --no-default-keyring --keyring ./proxmox-ve/data/etc/apt/trusted.gpg.d/proxmox-ve.gpg --import ${PVE_RELEASE_KEYS}
+ install -m 0644 proxmox-ve/proxmox-release-4.x.pubkey proxmox-ve/data/etc/apt/trusted.gpg.d/proxmox-ve-release-4.x.gpg
+ install -m 0644 proxmox-ve/proxmox-release-5.x.pubkey proxmox-ve/data/etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
sed -e 's/@KVNAME@/${KVNAME}/' -e 's/@KERNEL_VER@/${KERNEL_VER}/' -e 's/@RELEASE@/${RELEASE}/' -e 's/@PKGREL@/${PKGREL}/' <proxmox-ve/control >proxmox-ve/data/DEBIAN/control
sed -e 's/@KVNAME@/${KVNAME}/' <proxmox-ve/postinst >proxmox-ve/data/DEBIAN/postinst
chmod 0755 proxmox-ve/data/DEBIAN/postinst
diff --git a/proxmox-ve/postinst b/proxmox-ve/postinst
index baf3d29..88cd778 100755
--- a/proxmox-ve/postinst
+++ b/proxmox-ve/postinst
@@ -19,6 +19,9 @@ case "$1" in
# cleanup - remove Proxmox Release Key key from /etc/apt/trusted.gpg
/usr/bin/apt-key --keyring /etc/apt/trusted.gpg del 9887F95A >/dev/null 2>&1 || /bin/true
+ # cleanup - remove old stretch-incompatible variant of installing release key
+ rm -f /etc/apt/trusted.gpg.d/proxmox-ve.gpg /etc/apt/trusted.gpg.d/proxmox-ve.gpg~
+
# setup kernel links for installation CD (rescue boot)
mkdir -p /boot/pve
ln -sf /boot/vmlinuz- at KVNAME@ /boot/pve/vmlinuz
diff --git a/proxmox-ve/proxmox-release-4.x.pubkey b/proxmox-ve/proxmox-release-4.x.pubkey
index 816a8b8b9167c9438dff3fb14cb919a83d75c143..40416a623ca2dc062f197bd70084f6c79f408a79 100644
GIT binary patch
literal 570
zcmV-A0>%BA0ipy+2E)Y>1OT41Lucrrt8P~fe<?(wchb6{G6+2QKSZcK%{__gp=rlS
zVU})y;$(CL3=t(SRBuxJswI&EG<hA>scuij(7RHJ{FZX)e=nkm!eMEf!9Wi$pyGWq
zEBH#f!9Keh>xxUJmUhj8c2+;J+pBM35w$PDw$M<@dO7QGxqvvl{<i?2qnhI_%%Ro+
zfD`#Gmg0y at p(%cA1OSjD$|!@gVcBpPdq%lc+nE^>PV2)8>oIwx8jxFvNm-4wSn0v#
z_>1rmaQyWsZU8%?5amp%4<|{sg+K=7s1m+IStVsmW~Q7qQSrI^9oOv2)GiGe0ssuF
z08fF6z+v at zwcO6!b~<$aT13!QV-TReb?F}t7h8dX@}y2SU{3 at 9i%Su>LusA=sK-`%
z5Ko0HJPu8tXr?N{>PxMbKol}F#l9}ta>YN80spP|Ki3xiSy2Qk at 2;Fjg{PS54J-<#
z6{M?BU6bd<55(ZQPQ>J_SqS<?Nfx2rb*MJ>e}olszYjX>m`PTM%$T^wBs()_|7ROw
zdP}Q}&gIM^>=S54v at uX}Z+LBQcpy?`Y-M3{Wgtssc_2J+a&LHTZ+I<oWo%_(b7eqq
za&LHTZ+I?aZ*4w^U<4Bp0stTd0!aqL#R3}x1`7!Y2Ll2G6#@tY1Qr4V0RkQY0vCV)
z3JDOxI>+>whxuBQF94rST*Y+I19_b^Y^rh-%eVw~Nh|IEn+02jncLt=5*><-hPXr_
IRI;BLwAsV?{r~^~
literal 1702
zcmaKtx31%66oh*|#Vu_RyJ8LoT>Q*Aixk<3lo-UE!_)h&0lRSF(|+B|nVBCyzK;`S
z)%tQ|=gYZshRT2GV*JG!Hn0DpKcMhE%~jw1 at g;YwBY$n^PvR%_^_y(nZ${Ov$L|o-
zx^l&dwY)QTj|2RBMy!s~<tc44D?b~t?{a?~#gi8<!a at Ar$q=@BkL5FaX>pRQP+ at EJ
z3%I7}-?va^{hQu5wW}g;4-dzPbdDEK-}{bfI-}1|xT-R(d?p*`0%q%NjfKo}Bm8ON
zoN0bi#9$0Vf?ctOg&+99sAY>i88sLgLnJ|ef4V6%T3{O&yzG3 at lhX$>va>`B8Hl%f
zX;xkJDRIc#Sp*vRoK+>vn37~%NqbWhVq~3&H9hV7G?|aKmIp3{DzQmEsTWh3(!lDr
zi;BRoez^i+twcLCN0;gR^eMR at ZAMOqU9@hJ`_T@=j^1;bgx~{z(B^bE3M2*vFvp#9
zig*HX9#YHevT-G*UJm*6EG~=>zSz3QpzOpWB4nN!JsYxG&iPi~@DG`AvG#SNK1$g2
zZa~~;2ar~WRjoc7qfcRx%ekk?M6j_m=Mlgz$l(Qoh1)~g$mH(2BTZ46M?_s~*Omds
zR(kr=UBUvAxjTo=Q^6e6lT at p49ct33ykE}(gV+uhrH6hKu4!(?CaTOcUd_0+FRQy@
zSsHhPF%p+eW_v|*R_{&jaaXkMEu-6;=X at xMjwXIsjVdn9+XqbcFGSCOn5%GSikC}@
z7i)~Mi_ at 0{$C=)@W(CB#n#RqJ1j<?9ido}9CV;{XK~V at C7xQ2jd8H6}i2#5vYIpxk
z3aeEL9FBpp^EniRm-MoL at J<jU)rV7LR)SL!O@|54?qOOET}p_xuf(HOPNk at Z{@EQZ
zvbw7ED+18Y^ezts9K&OtfX at NVHThJro{>MD6X{;sYEIcd-)mRMwIm=WroXY9)fBzk
z?fa=flE)iI`^gAqg5k39E!Zx at Rh~A#A=?u1 at L(fbl(q#_Z);!%Y>-U}-Hsh5&}_Bg
zP*B?#ozRpw!%>&7w^s%;<j!k?e6YRFl&u!5l$%i)s9zzU2X~{_eHUM8L#k!hVIdXX
z7u)CzHDiK7w$@!^=|Tl_{{8i7fnPq(HoddEFEu1mf>HA7qE}PQh-5#obTlBCng?{#
z at lQU{VTx|<Im+y?2`*{)>8E5Jo)_EHSWZzD4yNo2D`8E<FN@@|cke?$n{=CB;B}}0
zaifFAteDT0j8g0i)(rqt;sMV|+ at hemM3BWoBivpH!Ukj4!Jl~NKzJQs5td^PZeM{v
zuZSYclbT3N)4W>{ZVWp=8f{BN`%;B1lB#PDs;3_z{q#Y*ih#U}Tr5 at ZHY`9pE!Cq=
zr%T<2L%kpTZ+~+sBBaCKyE;Ud at K)2&!p{zT(hnlNu?~PlNr+<xHIp769@|#4-)+$L
zmVve4m4&g_p<Bp<Ijh14<tEblTnDKkG?=7i#I{)nTC7LMD(`uxN3%y15{r!C)-aJ>
z>RC~SIE;maRSeFURFQzBcGmbdffnuCi%zRYN~j61)(aB}u?DtyTq+lC&k-LKvuILg
zvW at lzX6q=DMtGyns8xO>B_2zOl~{{1C-M*gwFK&4wchjczW*mM6F(Px?gFwq9=%m`
zg=(}84r^5Py!Lb<7yxx2PgcUa+k0pfVsSI2yKMnXAjM&X{#^ELhyLCe(Gvb=fc^r5
C=_V-v
diff --git a/proxmox-ve/proxmox-release-5.x.pubkey b/proxmox-ve/proxmox-release-5.x.pubkey
index e7002c995380140bed423991e6a9e93ca9f55737..8488f4597a19764cefa9f505198cf9cade46a7a7 100644
GIT binary patch
literal 1181
zcmV;O1Y-M{0u2OL!^(#N5CFlbWz^cmS$iU3j`tWHxifM%&-CJff<xw{qek*W{(V1=
zv40d4ASNKC%sJopeP~@u{?*(4$!Z}cv5EC-Th at e$U=}@<qH#ZAFG;GUyRzyXN{RGu
zotHNZQHsNwrA{;u<phl(p`leSywgRIawaH8Z6XZS%OOI4YGe5|!5L^yv at 1$>@AGol
zsH at ILM|Nb at iX<c`Xyf~lQ?|sGV$BqErX#q(Q+?x^PMITfDaA2r(YJZ~zDPlXkc)(i
zlF>iJR!?bucn(rCU?!EmI{EML$~s&c;(5!^@tb|ry{`aO#N9+z^lU6`^U=!f7Tc$!
zoJu!T$l!B7y`0~@JAD*={9he%hY3_<s<Go{0wQJ!NESbv9DiOlS*f9ts2UP30zS;C
zjyy^z>Mf^*m_n{^#=7AZ`V;vucOl(~YCCW7VZe`h<2?yaA!=_po7;jXswMD!B8Z8z
zv~|Y_Wr@@QYUi%aIdM4CyU;e1HqVb+HdJ^)i{)PH%+mr(Dvyg5H|>w4qss at 3b=}2B
zJVsD78XMLlq!+f)>p at F#6Hg?f4tz~`wNZO%${Xjm>06*^Ldp3*24+}O`)fDgL+eY0
zly<6cva%?+#m{)d>C-*cJO03{B;`!5Q)oB~kK)iFk$rTH+FUqC)t^o&dlK4i?MM<{
z1SU1+FvTC!pxXcu0RRECNl<cccx`WZAXaH|bai2DAVqF=X>xCFZDnqBAT=&{AW~&)
zWnpt=AWLO=AUtq#Z+LBQcr9{eY-M3{Wk7IpZ+LBQcrIgaZ9a(tKLis22mmPs0$0Pz
zhXNY|1ql+&0{{mL2?z%R0s#gU2m%QT3j`Jd0|5da0Rk6*0162Z4VoEH;_n6nIz$it
zD62qC$c7Ov6A}vxxO3<;ku+a|R)os7jNY at JZ0P1f6_|CzlY;Si>S;290<q46GJwnW
zehlVrSgKMO0?zzOykkkw?4<XV+xQQ90K@%HE63xZ7|>2em#|7NW2>mD{k4seJ&(fq
zKbBzToOheFC9lLCveIcBXbe2>4;<$fAUb)={>gB0=oB}<=IWOsdVX6XII*|BN~?M$
z<D9rb8RTF&=z23JmMO#sg*K`8WQklvrvlmcxTz|Suptj^GO47i%vGU1{rHkZNDvw%
z?a$ZKQYIqpHaQQbgGDsv2}b7F_W=F>WHpZ-)zgJP<2#`Onrs!pt^LXQD at AhXs*iy{
zGRVl$2mg#JlK<m3MRJ at n>I=JbN2)Q^@YYqmVS#jA2w}xrp0`|ERjkM#gJ6>YiM-?0
zaGVG(Nrs}d?IiohfiKng(O8Fh`a?mMW0(T at +itGYCodZ!=xW5$W~QiniSA{$&RDk0
zDO5xvT6p{&cgVhKc5_1n_QDP5TpK`u=3se|ZVQ8}8h6U(82z8})ztXRz)7WwAwxA2
z&KNr8DY^SB8XS6U+M3NBD;MArAN}nLN+un7G|s#2IFOq*#h4IJ1CUQG9M6?lxOwS=
v%Kl)1hf;D({;(*NGd#D)wu}8xdg|eIA%q2|pVoL}OgjDN+!-q6Et(MSB{?cK
literal 1698
zcmaKtx3a6)7DaQu;^fpVybxX00UPf<0%Zsgc4LGUU;obQs!n^QW6f;Lnt%TM9*`8x
z{&5xe$Blrg2|tFE{s7YvjQ`U=NL+rFW*q+dQHIS`es&T;pr_eDev98R2NExWSxF*t
ziJ#?HuiHIO)mL}r?c3!X15}+0C&O0mor}Ih)LD{ygvbI9H6yW{0;ArKx(IeQCNWCS
z8VN4xKxD-JsI|V5TQVL82}=V`pXUd=Y-16O1CG2HGO>@-Zx$z;A{v*RNNNM69^+`+
zZCmaV4H{ChYSk5gzq0Tqrxpzppgd}46;=Z&HtfpRW}NSg>Qm2-NXJeW>XF7aKVn}}
z4^3NE1E{erA5l~bquW!XtmzEp8GjWFg0hU}rH<Fof!VDRcFIpTOBh=0wJQ~}cyB)p
zi;0HQ9~nIiChjV)cM))(1H`9INJzZ<i>Xi-o_|((-G)g&4VwrxTD7qKdA;{=<z$t*
zCnxc(k3M=D^GTDbputoRK#C#oJh7yWpL3=JGZ+K2($LF*jw_Ahts#f{SqmSCDcdH+
zXzenVn%7iX&kl*5X)d@(Sz4SB-RlhAX~=DYejEF{iZ_i0uT at P{L3!u|FVD=4wVgzw
zad!9Y$s#YBd)d8DBVM}q$+lbgp_|5tnsWGF+gs3nkJ2g%O7^c)i9|0`xU`)>N#f-S
z0!j+QZ_tRtX(Oc>`z1LT3R+UPc&jqW)Y0&+Jo`FC$%UdN_Y=^MsF<f?`Do*2C2ncC
z6Mj*#gRwj^f5SdBm at pG7vqeo$d&*p)QCT9^D)IdFFIfT-vTFeJ5(p{5w4$tXPDLKP
z&wD&TR;l-L$kDF{M{DwP$_JlFA4las7&1%r{RN5sHF%XBFuz>yUrJo(WK;!Y%xL0y
zApeHV<X;%`xvKA_LhPl$v at a4z8&AUkuz<kx6Y%upxX&tIFCy@|0J(UJ2gjldd at k~p
zq{v<+2;OJ{kP7 at E32G$?GR^Zs)p_D`d`6DBgUY)3Jcb&^$|GUkC{jR&Qni?y>W&s8
z;R&rjYHKE2`*scR8ktUup_)h?ZJuR0P1dLhOMVlrQ8W>5pe+V6>D+56zp(e<bGAVt
zE|XjSwz6`|N))l^{y9;nR&3z-Q+Wgp*Uq<Q#$FE_=|a*y_73Zz2nV%%t- at nJ0r|yY
zmuLKOXODZ%oN49!_5fS at BQLASW-)l1@}?Y^7oxSzxw4EgQ)5pvU)uABE)|EdY^|Yh
z1_{s+IlqgpiBD-d%qPb-)30!c=5ebv!w#A6XFP@!hw8c%06x<l$|X2E&>M5L+s>Uv
zTeh84_qSKd9U_O39?_m`jMEWDUt5jv)3nIBvSRtb7<l}>8M9kO{P%0MKEP1Rn9SeD
zLe8h-d#g4!$IIC&l7r|UT$;)_l6ZA}##^}(=PS-GO{MLsI|O}q+&I?{&Fr8ue!^9E
zceM(z7`5fJriPn`E02_^1OzSC?Xy~gc`nUO`A9g-;H+*s3m??gH{>PskuT_3=^jOK
zZ_sRbUfvOsM at 5YZ`1PQ2o>lpjH-UCO%J4Rry5$DUj0v~34hi;6Ba620I*Ry##%o|r
zFy<wsGPvM{alR`=sxglBCPS|Y#<p%O8#W%iUNQv0<r(0b{^j;@Lzg8KzdKV^X%Xbz
zg)Tx9S=X0BPBt^K7~F1~OlYYmPYm`b72k4pYM?+jGXa at N4*fUscm1{>$Uplc+2VhU
G&;J027$ndD
--
2.1.4
More information about the pve-devel
mailing list