[virt-tools-list] Verification of software downloads with virt-install --location?
Simon Josefsson
simon at josefsson.org
Thu Apr 30 12:08:56 UTC 2015
Hi. I'm experimenting with using 'virt-install --location' for
creating virtual machines for myself. I'm installing Debian Jessie
VM's, if that matters, so the invocation looks something like this:
virt-install \
--name=dist.sjd.se \
--ram=1024 \
--os-type=linux --os-variant=debianwheezy \
--initrd-inject=preseed.cfg \
--extra-args="auto=true console=tty0 console=ttyS0,115200" \
--disk=$output,size=4,format=qcow2 \
--serial pty \
--location=http://ftp.se.debian.org/debian/dists/jessie/main/installer-amd64 \
--nographics \
--noreboot
However what is not clear to me is if there is any cryptographic
verification of the downloaded kernel/initrd-pair? I can't find any
documentation on how to configure the PGP public key to trust for this
download, nor any checksum values to double-check it with.
If 'virt-install --location' does not check the integrity
of the kernel/initrd download, how do people protect themselves against
man-in-the-middle attacks replacing the kernel/initrd files with
trojaned versions?
Thanks,
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signatur
URL: <http://listman.redhat.com/archives/virt-tools-list/attachments/20150430/1f269417/attachment.sig>
More information about the virt-tools-list
mailing list