[pve-devel] [PATCH proxmox v5 1/4] add proxmox-pgp subcrate, move POM verifier code to it
Thomas Lamprecht
t.lamprecht at proxmox.com
Wed Oct 29 20:39:29 CET 2025
Am 23.10.25 um 12:40 schrieb Nicolas Frey:> Add new micro-crate `proxmox-pgp` for use in `proxmox-apt` to verify
> repository signatures. Code is derived from `proxmox-offline-mirror`.
> If this patch is applied, then `proxmox-offline-mirror` should use
> the `proxmox-pgp` crate.
>
> For the original development history, see commits related to [0].
>
> [0] https://git.proxmox.com/?p=proxmox-offline-mirror.git;a=blob;f=src/helpers/verifier.rs;h=15195a6ec3413ad3c016fffc38f9eee3cefc6827;hb=cd56fab
>
> Suggested-by: Thomas Lamprecht <t.lamprech at proxmox.com>
> Signed-off-by: Nicolas Frey <n.frey at proxmox.com>
> ---
> Cargo.toml | 2 +
> proxmox-pgp/Cargo.toml | 17 +++
> proxmox-pgp/debian/changelog | 5 +
> proxmox-pgp/debian/control | 40 +++++++
> proxmox-pgp/debian/copyright | 18 +++
> proxmox-pgp/debian/debcargo.toml | 7 ++
> proxmox-pgp/src/lib.rs | 5 +
> proxmox-pgp/src/verifier.rs | 200 +++++++++++++++++++++++++++++++
> 8 files changed, 294 insertions(+)
> create mode 100644 proxmox-pgp/Cargo.toml
> create mode 100644 proxmox-pgp/debian/changelog
> create mode 100644 proxmox-pgp/debian/control
> create mode 100644 proxmox-pgp/debian/copyright
> create mode 100644 proxmox-pgp/debian/debcargo.toml
> create mode 100644 proxmox-pgp/src/lib.rs
> create mode 100644 proxmox-pgp/src/verifier.rs
> diff --git a/proxmox-pgp/src/verifier.rs b/proxmox-pgp/src/verifier.rs
> new file mode 100644
> index 00000000..84a15c4c
> --- /dev/null
> +++ b/proxmox-pgp/src/verifier.rs
> @@ -0,0 +1,200 @@
> +use anyhow::{bail, format_err, Error};
> +
> +use proxmox_api_macro::api;
> +use proxmox_schema::Updater;
> +use sequoia_openpgp::{
> + cert::CertParser,
> + parse::{
> + stream::{
> + DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationError,
> + VerificationHelper, VerifierBuilder,
> + },
> + PacketParser, PacketParserResult, Parse,
> + },
> + policy::StandardPolicy,
> + types::HashAlgorithm,
> + Cert, KeyHandle,
> +};
> +use serde::{Deserialize, Serialize};
> +use std::io;
I cleaned up the import code style a bit in POM yesterday, could you please sync that here
if you send a v6 to address Shannon's comment anyway?
> +
> +#[api(
> + properties: {
> + "allow-sha1": {
> + type: bool,
> + default: false,
> + optional: true,
> + },
> + "min-dsa-key-size": {
> + type: u64,
> + optional: true,
> + },
> + "min-rsa-key-size": {
> + type: u64,
> + optional: true,
> + },
> + },
> +)]
> +#[derive(Default, Serialize, Deserialize, Updater, Clone, Debug)]
> +#[serde(rename_all = "kebab-case")]
> +/// Weak Cryptography Configuration
> +pub struct WeakCryptoConfig {
> + /// Whether to allow SHA-1 based signatures
> + #[serde(default)]
> + pub allow_sha1: bool,
> + /// Whether to lower the key size cutoff for DSA-based signatures
> + #[serde(default)]
> + pub min_dsa_key_size: Option<u64>,
> + /// Whether to lower the key size cutoff for RSA-based signatures
> + #[serde(default)]
> + pub min_rsa_key_size: Option<u64>,
> +}
> +
> +struct Helper<'a> {
tiny nit: I know you just copied from the original, but the name is rather a bit to
generic.
As it's not publicly exported it's not to bad, but such things often leak in other
parts of the code nonetheless, so maybe use CertWrapper (just as an idea, feel free
to chose a more fitting/telling name yourself).
> + cert: &'a Cert,
> +}
> +
>
More information about the pve-devel
mailing list