[pve-devel] [PATCH docs] package-repos: update key file path and hashes
Thomas Lamprecht
t.lamprecht at proxmox.com
Thu Jul 17 13:55:19 CEST 2025
Am 17.07.25 um 12:33 schrieb Shannon Sterz:
>>> i'll admit thought that putting just the trixie key in place of the
>>> archive key feels wrong, if only for the initial install. however, the
>>> archive key isn't available through enterprise.proxmox.com it seems [1].
>> Yeah, you got me there, I thought about that but was not really sure
>> what the upgrade process should look like if it's just presented as
>> proxmox-archive-keyring.gpg there.
>>
>> That said, we could either include the release distribution in the name
>> or just document that the available keyring is only guaranteed to cover
>> a single past release and the next one. The former would be probably a bit
>> more future-proof – what do you think?
>>
> to be honest, it might be cleanest to tell people to install the keyring
> as above with the key matching the release. then verify that it matches
> known good hashes. after everything checks out, telling them
> that installing the `proxmox-archive-keyring` packages overwrites the
> key. so this would work out to basically adding a note like this:
Cleaner than providing the combined release key with a name like
"proxmox-archive-keyring-trixie.gpg" for downloading? As that
would be in essence the same thing, but the user would always have the
correct file there.
Yet another option would be pointing to the actual keyring package in
a specific version + respective hashes and recommend to install that
directly – that might be even more convenient.
>
> NOTE: The `wget` command above adds the release key for a single {pve}
> release as the archive keyring. Once the `proxmox-archive-keyring`
> package is installed, it will manage this file. The hashes will change
> as keys for other {pve} releases will be added and removed. This means
> the hashes below are only valid for the initial install on top of an
> existing Debian system.
> .
> **Modifying this file is discouraged once `proxmox-archive-keyring` is
> installed.**
>
> this way the Signed-By lines are correct and don't need to be adjusted
> by users and they should not be confused if the hashes change after
> installing `proxmox-archive-keyring`.
Could be OK, but uploading an extra key or the package wouldn't be much
work. So if you do not see any issue there I'd prefer that route, and
would be open to feedback for what option might be better in the end.
More information about the pve-devel
mailing list