[pve-devel] Release Signatures

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Dec 6 09:22:35 CET 2021


On December 5, 2021 6:42 pm, Sid Spry wrote:
> Are checksums and release signatures available for install media?

yes.

checksum via TLS:

https://proxmox.com/en/downloads/item/proxmox-ve-7-1-iso-installer

(applies to other products/versions as well)

checksum + signature:

http://download.proxmox.com/iso/

signing key == repository key[1,2,3]

1: checksum via TLS https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_11_Bullseye#Adapt_your_sources.list
2: keys via TLS https://git.proxmox.com/?p=proxmox-archive-keyring.git;a=tree;f=debian;h=d3538cb8ad0753a45ded226c56e1ac0323a83588;hb=HEAD
3: or installed on any current PVE/PMG/PBS system via 
`proxmox-archive-keyring` ;)

> What about code signing on repos?

no, there is no signing of git commits/.. . our consumable artifacts for 
users are deb packages, which are chained to the repo signing key as 
trust anchor.




More information about the pve-devel mailing list