starred/ProxmoxVE

Fork 0

mirror of https://github.com/community-scripts/ProxmoxVE.git synced 2026-04-26 01:36:05 +03:00

[GH-ISSUE #11860] setup_deb822_repo: GPG keyring files created with 0600 permissions break APT on Debian 13 #2497

New issue

Closed

opened 2026-02-26 12:52:38 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 12:52:38 +03:00

Owner

Originally created by @alealv on GitHub (Feb 12, 2026).
Original GitHub issue: https://github.com/community-scripts/ProxmoxVE/issues/11860

Bug Description

The setup_deb822_repo() function in misc/tools.func creates GPG keyring files with 0600 permissions, which prevents APT from verifying repository signatures on Debian 13 (Trixie).

Root Cause

The function handles GPG keys via two code paths:

Binary keys: cp "$tmp_gpg" "/etc/apt/keyrings/${name}.gpg" — copies the temp file (created by mktemp with restrictive permissions)
ASCII-armored keys: gpg --dearmor --yes -o "/etc/apt/keyrings/${name}.gpg" — GPG always creates output files with 0600 permissions regardless of umask

Both paths result in /etc/apt/keyrings/${name}.gpg having 0600 (root-only read) permissions. However, APT's signature verification runs as the _apt user via sqv, which cannot read the keyring file.

Error Message

Sub-process /usr/bin/sqv returned an error code (1), error message is:
Error: Failed to parse keyring "/etc/apt/keyrings/<name>.gpg"
  Caused by:
    0: Reading "/etc/apt/keyrings/<name>.gpg": Permission denied (os error 13)
    1: Permission denied (os error 13)
Error: The repository '<repo_url>' is not signed.

Affected Scripts

Any script using setup_deb822_repo, including:

Immich (immich-install.sh) — fails on both Jellyfin FFmpeg repo and PostgreSQL repo
Potentially all other scripts that add APT repositories via this function

Environment

Proxmox VE: 8.x
Container OS: Debian 13 (Trixie)
Container type: Unprivileged LXC
APT verification: sqv (Sequoia-based, replaced apt-key in Trixie)

Proposed Fix

Add chmod 644 after keyring file creation in setup_deb822_repo():

  if file "$tmp_gpg" | grep -qi 'PGP\|GPG\|public key'; then
    cp "$tmp_gpg" "/etc/apt/keyrings/${name}.gpg"
  else
    gpg --dearmor --yes -o "/etc/apt/keyrings/${name}.gpg" < "$tmp_gpg"
  fi
  rm -f "$tmp_gpg"
+ chmod 644 "/etc/apt/keyrings/${name}.gpg"

This ensures the keyring file is world-readable, which is required for APT signature verification and is the standard permission for keyring files (matching what apt-key used to set).

Steps to Reproduce

Create a Debian 13 (Trixie) unprivileged LXC container
Run the Immich community script: bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/immich.sh)"
Select OpenVINO when prompted
Observe failure at Jellyfin FFmpeg repo setup

Workaround

After the script fails, manually fix permissions:

pct exec <vmid> -- chmod 644 /etc/apt/keyrings/*.gpg

Then re-run the install script.

Originally created by @alealv on GitHub (Feb 12, 2026). Original GitHub issue: https://github.com/community-scripts/ProxmoxVE/issues/11860 ## Bug Description The `setup_deb822_repo()` function in `misc/tools.func` creates GPG keyring files with `0600` permissions, which prevents APT from verifying repository signatures on Debian 13 (Trixie). ## Root Cause The function handles GPG keys via two code paths: 1. **Binary keys**: `cp "$tmp_gpg" "/etc/apt/keyrings/${name}.gpg"` — copies the temp file (created by `mktemp` with restrictive permissions) 2. **ASCII-armored keys**: `gpg --dearmor --yes -o "/etc/apt/keyrings/${name}.gpg"` — GPG always creates output files with `0600` permissions regardless of umask Both paths result in `/etc/apt/keyrings/${name}.gpg` having `0600` (root-only read) permissions. However, APT's signature verification runs as the `_apt` user via `sqv`, which cannot read the keyring file. ## Error Message ``` Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Failed to parse keyring "/etc/apt/keyrings/<name>.gpg" Caused by: 0: Reading "/etc/apt/keyrings/<name>.gpg": Permission denied (os error 13) 1: Permission denied (os error 13) Error: The repository '<repo_url>' is not signed. ``` ## Affected Scripts Any script using `setup_deb822_repo`, including: - **Immich** (`immich-install.sh`) — fails on both Jellyfin FFmpeg repo and PostgreSQL repo - Potentially all other scripts that add APT repositories via this function ## Environment - **Proxmox VE**: 8.x - **Container OS**: Debian 13 (Trixie) - **Container type**: Unprivileged LXC - **APT verification**: `sqv` (Sequoia-based, replaced `apt-key` in Trixie) ## Proposed Fix Add `chmod 644` after keyring file creation in `setup_deb822_repo()`: ```bash if file "$tmp_gpg" | grep -qi 'PGP\|GPG\|public key'; then cp "$tmp_gpg" "/etc/apt/keyrings/${name}.gpg" else gpg --dearmor --yes -o "/etc/apt/keyrings/${name}.gpg" < "$tmp_gpg" fi rm -f "$tmp_gpg" + chmod 644 "/etc/apt/keyrings/${name}.gpg" ``` This ensures the keyring file is world-readable, which is required for APT signature verification and is the standard permission for keyring files (matching what `apt-key` used to set). ## Steps to Reproduce 1. Create a Debian 13 (Trixie) unprivileged LXC container 2. Run the Immich community script: `bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/immich.sh)"` 3. Select OpenVINO when prompted 4. Observe failure at Jellyfin FFmpeg repo setup ## Workaround After the script fails, manually fix permissions: ```bash pct exec <vmid> -- chmod 644 /etc/apt/keyrings/*.gpg ``` Then re-run the install script.

kerem closed this issue

2026-02-26 12:52:39 +03:00

kerem referenced this issue

2026-02-26 13:34:40 +03:00

[PR #2498] [MERGED] Fix: file replacement in Watcharr Update Script #3791

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ProxmoxVE#2497

No description provided.

Rows
Columns