[virt-tools-list] Verification of software downloads with virt-install --location?

Simon Josefsson simon at josefsson.org
Thu Apr 30 12:54:30 UTC 2015 

> On Thu, Apr 30, 2015 at 02:08:56PM +0200, Simon Josefsson wrote:
> > Hi.  I'm experimenting with using 'virt-install --location' for
> > creating virtual machines for myself.  I'm installing Debian Jessie
> > VM's, if that matters, so the invocation looks something like this:
> > 
> > virt-install \
> >     --name=dist.sjd.se \
> >     --ram=1024 \
> >     --os-type=linux --os-variant=debianwheezy \
> >     --initrd-inject=preseed.cfg \
> >     --extra-args="auto=true console=tty0 console=ttyS0,115200" \
> >     --disk=$output,size=4,format=qcow2 \
> >     --serial pty \
> >     --location=http://ftp.se.debian.org/debian/dists/jessie/main/installer-amd64
> > \ --nographics \
> >     --noreboot
> > 
> > However what is not clear to me is if there is any cryptographic
> > verification of the downloaded kernel/initrd-pair?  I can't find any
> > documentation on how to configure the PGP public key to trust for
> > this download, nor any checksum values to double-check it with.
> > 
> > If 'virt-install --location' does not check the integrity
> > of the kernel/initrd download, how do people protect themselves
> > against man-in-the-middle attacks replacing the kernel/initrd files
> > with trojaned versions?
> 
> You are correct that there is no verification of images which are
> downloaded. The only real recommendation for protection is for
> organizations to maintain their own trusted local mirror of the
> distros that they frequently use.

Ok, thanks for confirming my understanding.  I believe a complete local
mirror is a non-starter for me, but maybe a minimized mirror with only
a few files would work, if I can mirror them securely from debian.org.

> That said it would obviously be desirable to look into whether there
> is some kind of cryptographic verification that could be reasonably
> performed.

Yes.  It feels like a real bug to me.

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signatur
URL: <http://listman.redhat.com/archives/virt-tools-list/attachments/20150430/9fb43d5f/attachment.sig>

More information about the virt-tools-list mailing list