[pve-devel] applied: [PATCH kernel] install release keys in a saner way
Wolfgang Bumiller
w.bumiller at proxmox.com
Tue Feb 21 11:20:47 CET 2017
applied
On Tue, Feb 21, 2017 at 10:24:25AM +0100, Fabian Grünbichler wrote:
> apt actually expects single exported keys in the trusted
> directory, not keyrings. recent gpg2 versions (like that in
> Debian Stretch) switch to a different default keyring format
> which apt does not handle at all, so the old hack will break
> soon.
>
> by changing the key format in this repository from armored
> exported public key to binary exported public key, which
> both apt in Debian Jessie and apt in Debian Stretch
> understand, we can just install those two files directly
> in the trusted dir.
>
> bonus: the package content does not change based on gpg
> version or configuration anymore.
>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> CC: dietmar at proxmox.com
> CC: w.bumiller at proxmox.com
> ---
> the keys were generated by:
> * importing the keys using the old format (gpg2 --import)
> * deleting the unneeded encryption subkey from the 4.x key (gpg2 --edit-key)
> * re-exporting each key with "gpg2 --export 0xFINGERPRINT > OUTPUTFILE"
>
> comparinging the previous .pubkey files' contents with those of their new
> counter-parts shows they are identical except for the dropped subkey. this
> can be verified using "pgpdump" or "gpg2 --list-packets"
>
> I am really looking forward to finally retiring that 4.x key BTW ;)
>
> Makefile | 7 ++-----
> proxmox-ve/postinst | 3 +++
> proxmox-ve/proxmox-release-4.x.pubkey | Bin 1702 -> 570 bytes
> proxmox-ve/proxmox-release-5.x.pubkey | Bin 1698 -> 1181 bytes
> 4 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index ed7e307..e7edb76 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -90,10 +90,6 @@ LINUX_TOOLS_DEB=${LINUX_TOOLS_PKG}_${KERNEL_VER}-${PKGREL}_amd64.deb
>
> DEBS=${DST_DEB} ${HDR_DEB} ${FW_DEB} ${PVE_DEB} ${VIRTUAL_HDR_DEB} ${LINUX_TOOLS_DEB}
>
> -PVE_RELEASE_KEYS= \
> - proxmox-ve/proxmox-release-4.x.pubkey \
> - proxmox-ve/proxmox-release-5.x.pubkey
> -
> all: check_gcc ${DEBS}
>
> ${PVE_DEB} pve: proxmox-ve/control proxmox-ve/postinst ${PVE_RELEASE_KEYS}
> @@ -101,7 +97,8 @@ ${PVE_DEB} pve: proxmox-ve/control proxmox-ve/postinst ${PVE_RELEASE_KEYS}
> mkdir -p proxmox-ve/data/DEBIAN
> mkdir -p proxmox-ve/data/usr/share/doc/${PVEPKG}/
> mkdir -p proxmox-ve/data/etc/apt/trusted.gpg.d
> - gpg2 --no-default-keyring --keyring ./proxmox-ve/data/etc/apt/trusted.gpg.d/proxmox-ve.gpg --import ${PVE_RELEASE_KEYS}
> + install -m 0644 proxmox-ve/proxmox-release-4.x.pubkey proxmox-ve/data/etc/apt/trusted.gpg.d/proxmox-ve-release-4.x.gpg
> + install -m 0644 proxmox-ve/proxmox-release-5.x.pubkey proxmox-ve/data/etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
> sed -e 's/@KVNAME@/${KVNAME}/' -e 's/@KERNEL_VER@/${KERNEL_VER}/' -e 's/@RELEASE@/${RELEASE}/' -e 's/@PKGREL@/${PKGREL}/' <proxmox-ve/control >proxmox-ve/data/DEBIAN/control
> sed -e 's/@KVNAME@/${KVNAME}/' <proxmox-ve/postinst >proxmox-ve/data/DEBIAN/postinst
> chmod 0755 proxmox-ve/data/DEBIAN/postinst
> diff --git a/proxmox-ve/postinst b/proxmox-ve/postinst
> index baf3d29..88cd778 100755
> --- a/proxmox-ve/postinst
> +++ b/proxmox-ve/postinst
> @@ -19,6 +19,9 @@ case "$1" in
> # cleanup - remove Proxmox Release Key key from /etc/apt/trusted.gpg
> /usr/bin/apt-key --keyring /etc/apt/trusted.gpg del 9887F95A >/dev/null 2>&1 || /bin/true
>
> + # cleanup - remove old stretch-incompatible variant of installing release key
> + rm -f /etc/apt/trusted.gpg.d/proxmox-ve.gpg /etc/apt/trusted.gpg.d/proxmox-ve.gpg~
> +
> # setup kernel links for installation CD (rescue boot)
> mkdir -p /boot/pve
> ln -sf /boot/vmlinuz- at KVNAME@ /boot/pve/vmlinuz
> diff --git a/proxmox-ve/proxmox-release-4.x.pubkey b/proxmox-ve/proxmox-release-4.x.pubkey
> index 816a8b8b9167c9438dff3fb14cb919a83d75c143..40416a623ca2dc062f197bd70084f6c79f408a79 100644
> GIT binary patch
> literal 570
> zcmV-A0>%BA0ipy+2E)Y>1OT41Lucrrt8P~fe<?(wchb6{G6+2QKSZcK%{__gp=rlS
> zVU})y;$(CL3=t(SRBuxJswI&EG<hA>scuij(7RHJ{FZX)e=nkm!eMEf!9Wi$pyGWq
> zEBH#f!9Keh>xxUJmUhj8c2+;J+pBM35w$PDw$M<@dO7QGxqvvl{<i?2qnhI_%%Ro+
> zfD`#Gmg0y at p(%cA1OSjD$|!@gVcBpPdq%lc+nE^>PV2)8>oIwx8jxFvNm-4wSn0v#
> z_>1rmaQyWsZU8%?5amp%4<|{sg+K=7s1m+IStVsmW~Q7qQSrI^9oOv2)GiGe0ssuF
> z08fF6z+v at zwcO6!b~<$aT13!QV-TReb?F}t7h8dX@}y2SU{3 at 9i%Su>LusA=sK-`%
> z5Ko0HJPu8tXr?N{>PxMbKol}F#l9}ta>YN80spP|Ki3xiSy2Qk at 2;Fjg{PS54J-<#
> z6{M?BU6bd<55(ZQPQ>J_SqS<?Nfx2rb*MJ>e}olszYjX>m`PTM%$T^wBs()_|7ROw
> zdP}Q}&gIM^>=S54v at uX}Z+LBQcpy?`Y-M3{Wgtssc_2J+a&LHTZ+I<oWo%_(b7eqq
> za&LHTZ+I?aZ*4w^U<4Bp0stTd0!aqL#R3}x1`7!Y2Ll2G6#@tY1Qr4V0RkQY0vCV)
> z3JDOxI>+>whxuBQF94rST*Y+I19_b^Y^rh-%eVw~Nh|IEn+02jncLt=5*><-hPXr_
> IRI;BLwAsV?{r~^~
>
> literal 1702
> zcmaKtx31%66oh*|#Vu_RyJ8LoT>Q*Aixk<3lo-UE!_)h&0lRSF(|+B|nVBCyzK;`S
> z)%tQ|=gYZshRT2GV*JG!Hn0DpKcMhE%~jw1 at g;YwBY$n^PvR%_^_y(nZ${Ov$L|o-
> zx^l&dwY)QTj|2RBMy!s~<tc44D?b~t?{a?~#gi8<!a at Ar$q=@BkL5FaX>pRQP+ at EJ
> z3%I7}-?va^{hQu5wW}g;4-dzPbdDEK-}{bfI-}1|xT-R(d?p*`0%q%NjfKo}Bm8ON
> zoN0bi#9$0Vf?ctOg&+99sAY>i88sLgLnJ|ef4V6%T3{O&yzG3 at lhX$>va>`B8Hl%f
> zX;xkJDRIc#Sp*vRoK+>vn37~%NqbWhVq~3&H9hV7G?|aKmIp3{DzQmEsTWh3(!lDr
> zi;BRoez^i+twcLCN0;gR^eMR at ZAMOqU9@hJ`_T@=j^1;bgx~{z(B^bE3M2*vFvp#9
> zig*HX9#YHevT-G*UJm*6EG~=>zSz3QpzOpWB4nN!JsYxG&iPi~@DG`AvG#SNK1$g2
> zZa~~;2ar~WRjoc7qfcRx%ekk?M6j_m=Mlgz$l(Qoh1)~g$mH(2BTZ46M?_s~*Omds
> zR(kr=UBUvAxjTo=Q^6e6lT at p49ct33ykE}(gV+uhrH6hKu4!(?CaTOcUd_0+FRQy@
> zSsHhPF%p+eW_v|*R_{&jaaXkMEu-6;=X at xMjwXIsjVdn9+XqbcFGSCOn5%GSikC}@
> z7i)~Mi_ at 0{$C=)@W(CB#n#RqJ1j<?9ido}9CV;{XK~V at C7xQ2jd8H6}i2#5vYIpxk
> z3aeEL9FBpp^EniRm-MoL at J<jU)rV7LR)SL!O@|54?qOOET}p_xuf(HOPNk at Z{@EQZ
> zvbw7ED+18Y^ezts9K&OtfX at NVHThJro{>MD6X{;sYEIcd-)mRMwIm=WroXY9)fBzk
> z?fa=flE)iI`^gAqg5k39E!Zx at Rh~A#A=?u1 at L(fbl(q#_Z);!%Y>-U}-Hsh5&}_Bg
> zP*B?#ozRpw!%>&7w^s%;<j!k?e6YRFl&u!5l$%i)s9zzU2X~{_eHUM8L#k!hVIdXX
> z7u)CzHDiK7w$@!^=|Tl_{{8i7fnPq(HoddEFEu1mf>HA7qE}PQh-5#obTlBCng?{#
> z at lQU{VTx|<Im+y?2`*{)>8E5Jo)_EHSWZzD4yNo2D`8E<FN@@|cke?$n{=CB;B}}0
> zaifFAteDT0j8g0i)(rqt;sMV|+ at hemM3BWoBivpH!Ukj4!Jl~NKzJQs5td^PZeM{v
> zuZSYclbT3N)4W>{ZVWp=8f{BN`%;B1lB#PDs;3_z{q#Y*ih#U}Tr5 at ZHY`9pE!Cq=
> zr%T<2L%kpTZ+~+sBBaCKyE;Ud at K)2&!p{zT(hnlNu?~PlNr+<xHIp769@|#4-)+$L
> zmVve4m4&g_p<Bp<Ijh14<tEblTnDKkG?=7i#I{)nTC7LMD(`uxN3%y15{r!C)-aJ>
> z>RC~SIE;maRSeFURFQzBcGmbdffnuCi%zRYN~j61)(aB}u?DtyTq+lC&k-LKvuILg
> zvW at lzX6q=DMtGyns8xO>B_2zOl~{{1C-M*gwFK&4wchjczW*mM6F(Px?gFwq9=%m`
> zg=(}84r^5Py!Lb<7yxx2PgcUa+k0pfVsSI2yKMnXAjM&X{#^ELhyLCe(Gvb=fc^r5
> C=_V-v
>
> diff --git a/proxmox-ve/proxmox-release-5.x.pubkey b/proxmox-ve/proxmox-release-5.x.pubkey
> index e7002c995380140bed423991e6a9e93ca9f55737..8488f4597a19764cefa9f505198cf9cade46a7a7 100644
> GIT binary patch
> literal 1181
> zcmV;O1Y-M{0u2OL!^(#N5CFlbWz^cmS$iU3j`tWHxifM%&-CJff<xw{qek*W{(V1=
> zv40d4ASNKC%sJopeP~@u{?*(4$!Z}cv5EC-Th at e$U=}@<qH#ZAFG;GUyRzyXN{RGu
> zotHNZQHsNwrA{;u<phl(p`leSywgRIawaH8Z6XZS%OOI4YGe5|!5L^yv at 1$>@AGol
> zsH at ILM|Nb at iX<c`Xyf~lQ?|sGV$BqErX#q(Q+?x^PMITfDaA2r(YJZ~zDPlXkc)(i
> zlF>iJR!?bucn(rCU?!EmI{EML$~s&c;(5!^@tb|ry{`aO#N9+z^lU6`^U=!f7Tc$!
> zoJu!T$l!B7y`0~@JAD*={9he%hY3_<s<Go{0wQJ!NESbv9DiOlS*f9ts2UP30zS;C
> zjyy^z>Mf^*m_n{^#=7AZ`V;vucOl(~YCCW7VZe`h<2?yaA!=_po7;jXswMD!B8Z8z
> zv~|Y_Wr@@QYUi%aIdM4CyU;e1HqVb+HdJ^)i{)PH%+mr(Dvyg5H|>w4qss at 3b=}2B
> zJVsD78XMLlq!+f)>p at F#6Hg?f4tz~`wNZO%${Xjm>06*^Ldp3*24+}O`)fDgL+eY0
> zly<6cva%?+#m{)d>C-*cJO03{B;`!5Q)oB~kK)iFk$rTH+FUqC)t^o&dlK4i?MM<{
> z1SU1+FvTC!pxXcu0RRECNl<cccx`WZAXaH|bai2DAVqF=X>xCFZDnqBAT=&{AW~&)
> zWnpt=AWLO=AUtq#Z+LBQcr9{eY-M3{Wk7IpZ+LBQcrIgaZ9a(tKLis22mmPs0$0Pz
> zhXNY|1ql+&0{{mL2?z%R0s#gU2m%QT3j`Jd0|5da0Rk6*0162Z4VoEH;_n6nIz$it
> zD62qC$c7Ov6A}vxxO3<;ku+a|R)os7jNY at JZ0P1f6_|CzlY;Si>S;290<q46GJwnW
> zehlVrSgKMO0?zzOykkkw?4<XV+xQQ90K@%HE63xZ7|>2em#|7NW2>mD{k4seJ&(fq
> zKbBzToOheFC9lLCveIcBXbe2>4;<$fAUb)={>gB0=oB}<=IWOsdVX6XII*|BN~?M$
> z<D9rb8RTF&=z23JmMO#sg*K`8WQklvrvlmcxTz|Suptj^GO47i%vGU1{rHkZNDvw%
> z?a$ZKQYIqpHaQQbgGDsv2}b7F_W=F>WHpZ-)zgJP<2#`Onrs!pt^LXQD at AhXs*iy{
> zGRVl$2mg#JlK<m3MRJ at n>I=JbN2)Q^@YYqmVS#jA2w}xrp0`|ERjkM#gJ6>YiM-?0
> zaGVG(Nrs}d?IiohfiKng(O8Fh`a?mMW0(T at +itGYCodZ!=xW5$W~QiniSA{$&RDk0
> zDO5xvT6p{&cgVhKc5_1n_QDP5TpK`u=3se|ZVQ8}8h6U(82z8})ztXRz)7WwAwxA2
> z&KNr8DY^SB8XS6U+M3NBD;MArAN}nLN+un7G|s#2IFOq*#h4IJ1CUQG9M6?lxOwS=
> v%Kl)1hf;D({;(*NGd#D)wu}8xdg|eIA%q2|pVoL}OgjDN+!-q6Et(MSB{?cK
>
> literal 1698
> zcmaKtx3a6)7DaQu;^fpVybxX00UPf<0%Zsgc4LGUU;obQs!n^QW6f;Lnt%TM9*`8x
> z{&5xe$Blrg2|tFE{s7YvjQ`U=NL+rFW*q+dQHIS`es&T;pr_eDev98R2NExWSxF*t
> ziJ#?HuiHIO)mL}r?c3!X15}+0C&O0mor}Ih)LD{ygvbI9H6yW{0;ArKx(IeQCNWCS
> z8VN4xKxD-JsI|V5TQVL82}=V`pXUd=Y-16O1CG2HGO>@-Zx$z;A{v*RNNNM69^+`+
> zZCmaV4H{ChYSk5gzq0Tqrxpzppgd}46;=Z&HtfpRW}NSg>Qm2-NXJeW>XF7aKVn}}
> z4^3NE1E{erA5l~bquW!XtmzEp8GjWFg0hU}rH<Fof!VDRcFIpTOBh=0wJQ~}cyB)p
> zi;0HQ9~nIiChjV)cM))(1H`9INJzZ<i>Xi-o_|((-G)g&4VwrxTD7qKdA;{=<z$t*
> zCnxc(k3M=D^GTDbputoRK#C#oJh7yWpL3=JGZ+K2($LF*jw_Ahts#f{SqmSCDcdH+
> zXzenVn%7iX&kl*5X)d@(Sz4SB-RlhAX~=DYejEF{iZ_i0uT at P{L3!u|FVD=4wVgzw
> zad!9Y$s#YBd)d8DBVM}q$+lbgp_|5tnsWGF+gs3nkJ2g%O7^c)i9|0`xU`)>N#f-S
> z0!j+QZ_tRtX(Oc>`z1LT3R+UPc&jqW)Y0&+Jo`FC$%UdN_Y=^MsF<f?`Do*2C2ncC
> z6Mj*#gRwj^f5SdBm at pG7vqeo$d&*p)QCT9^D)IdFFIfT-vTFeJ5(p{5w4$tXPDLKP
> z&wD&TR;l-L$kDF{M{DwP$_JlFA4las7&1%r{RN5sHF%XBFuz>yUrJo(WK;!Y%xL0y
> zApeHV<X;%`xvKA_LhPl$v at a4z8&AUkuz<kx6Y%upxX&tIFCy@|0J(UJ2gjldd at k~p
> zq{v<+2;OJ{kP7 at E32G$?GR^Zs)p_D`d`6DBgUY)3Jcb&^$|GUkC{jR&Qni?y>W&s8
> z;R&rjYHKE2`*scR8ktUup_)h?ZJuR0P1dLhOMVlrQ8W>5pe+V6>D+56zp(e<bGAVt
> zE|XjSwz6`|N))l^{y9;nR&3z-Q+Wgp*Uq<Q#$FE_=|a*y_73Zz2nV%%t- at nJ0r|yY
> zmuLKOXODZ%oN49!_5fS at BQLASW-)l1@}?Y^7oxSzxw4EgQ)5pvU)uABE)|EdY^|Yh
> z1_{s+IlqgpiBD-d%qPb-)30!c=5ebv!w#A6XFP@!hw8c%06x<l$|X2E&>M5L+s>Uv
> zTeh84_qSKd9U_O39?_m`jMEWDUt5jv)3nIBvSRtb7<l}>8M9kO{P%0MKEP1Rn9SeD
> zLe8h-d#g4!$IIC&l7r|UT$;)_l6ZA}##^}(=PS-GO{MLsI|O}q+&I?{&Fr8ue!^9E
> zceM(z7`5fJriPn`E02_^1OzSC?Xy~gc`nUO`A9g-;H+*s3m??gH{>PskuT_3=^jOK
> zZ_sRbUfvOsM at 5YZ`1PQ2o>lpjH-UCO%J4Rry5$DUj0v~34hi;6Ba620I*Ry##%o|r
> zFy<wsGPvM{alR`=sxglBCPS|Y#<p%O8#W%iUNQv0<r(0b{^j;@Lzg8KzdKV^X%Xbz
> zg)Tx9S=X0BPBt^K7~F1~OlYYmPYm`b72k4pYM?+jGXa at N4*fUscm1{>$Uplc+2VhU
> G&;J027$ndD
>
> --
> 2.1.4
>
More information about the pve-devel
mailing list