[pve-devel] [PATCH docs] package-repos: update key file path and hashes

Thomas Lamprecht t.lamprecht at proxmox.com
Thu Jul 17 10:47:48 CEST 2025


Am 17.07.25 um 10:00 schrieb Shannon Sterz:
> so they better match the repository defintions above

tiny typo: definitions

> Signed-off-by: Shannon Sterz <s.sterz at proxmox.com>
> ---
>  pve-package-repos.adoc | 14 ++++++++------
>  1 file changed, 8 insertions(+), 6 deletions(-)
> 
> diff --git a/pve-package-repos.adoc b/pve-package-repos.adoc
> index 063bc6f..4af8a51 100644
> --- a/pve-package-repos.adoc
> +++ b/pve-package-repos.adoc
> @@ -269,24 +269,26 @@ the key with the following commands:
>  
>  ----
>   # wget https://enterprise.proxmox.com/debian/proxmox-release-trixie.gpg -O
> - /etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg
> + /usr/share/keyrings/proxmox-archive-keyring.gpg
>  ----
>  
>  Verify the checksum afterwards with the `sha512sum` CLI tool:
>  
>  ----
> -# sha512sum /etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg
> -7da6fe34168adc6e479327ba517796d4702fa2f8b4f0a9833f5ea6e6b48f6507a6da403a274fe201595edc86a84463d50383d07f64bdde2e3658108db7d6dc87
> -/etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg
> +# sha512sum /usr/share/keyrings/proxmox-archive-keyring.gpg
> + 8678f2327c49276615288d7ca11e7d296bc8a2b96946fe565a9c81e533f9b15a5dbbad210a0ad5cd46d361ff1d3c4bac55844bc296beefa4f88b86e44e69fa51
> +/usr/share/keyrings/proxmox-archive-keyring.gpg

But that will change with the next key ring change, e.g. once a new key for a
future release gets added or an oldoldstable release key is dropped.

Switching to /user still makes sense, in the long run /etc might even
get fully deprecated.  

We either could stay using the per-release key files, which are also available
in /usr, or, for a slightly bigger change, switch to the `sq keyring list`
output–or some other fitting command of it.

As some sq tools are now used by core debian packaging tools like apt, it'
be relatively safe to use here IMO.

For example:

# sq keyring list /usr/share/keyrings/proxmox-archive-keyring.gpg 
0. F4E136C67CDCE41AE6DE6FC81140AF8F639E0C39 Proxmox Bookworm Release Key <proxmox-release at proxmox.com>
1. 24B30F06ECC1836A4E5EFECBA7BCD1420BFE778E Proxmox Trixie Release Key <proxmox-release at proxmox.com>


Could be combined with the per-release hash sums, and if we change this I'd
be a tiny bit in favor of switching sha512sum to sha256sum, as I don't think
we or users gain much security, longer strings aren't easier to compare and
sha256sum is still very much state of the art and deemed as unfeasible to break,
IIRC.

>  ----
>  
>  or the `md5sum` CLI tool:
>  
>  ----
> -# md5sum /etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg
> -41558dc019ef90bd0f6067644a51cf5b /etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg
> +# md5sum /usr/share/keyrings/proxmox-archive-keyring.gpg
> +c94e3775fbafec13fec20f981db61e93 /usr/share/keyrings/proxmox-archive-keyring.gpg
>  ----
>  
> +NOTE: Make sure the path you install the key to matches the `Signed-By:` lines
> +in your repository stanzas.
>  
>  ifdef::wiki[]
>  





More information about the pve-devel mailing list