[Container-tools] signing vagrant payload
Lalatendu Mohanty
lmohanty at redhat.com
Mon Feb 29 13:43:34 UTC 2016
On 02/29/2016 06:31 PM, Karanbir Singh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 29/02/16 12:15, Karanbir Singh wrote:
>> hi,
>>
>> Has there been any work done to see how one might sign and then
>> validate a vagrant box at all ? I'm looking for options and
>> everyone of them seems to require an additional component on the
>> client side ( which might defeat the purpose a bit ).
> it looks like the ImgFac created box's dont have checksum included in
> the box. At the moment the box looks like:
>
> metadata.json:
> {"provider": "libvirt", "format": "qcow2", "virtual_size": 41}
>
> we should be able to add a sha type and a sum there, so its validated
> before being instantiated.
+1, thats a good idea. Also we should try notary [1] (saw someone
mentioned in twitter for your question)
[1] https://github.com/docker/notary
Thanks,
Lala
> - --
> Karanbir Singh, Project Lead, The CentOS Project, London, UK
> Red Hat Ext. 8274455 | DID: 0044 207 009 4455
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQEcBAEBAgAGBQJW1EE4AAoJEI3Oi2Mx7xbt2VwIAKZNWZk/XBjXLVFwNE419ckT
> F4XHxfM/R3igPS5CRN4XSZJBY0p/hKqAolAOHJzlChD/zdtJ7sqLejy3FTchOoOA
> /iNmoMR3i/2qg+v5Sis7kcaKDwcdLcrdj7Sby7laVdOWlbiSJeALnIp+uXqPhrV0
> xq3PcoAZaVE0RcGvo6fUV3FAe1EWXh43jlP2TmDdSAfFhU6ntyMkBhT0U2HgK9fM
> eGEP3apaD3mVTNn3cH04/hAcW4KIEGMQcSyxzR5unnd7S5isAFUmArIcbJwn+Ayy
> crU7yH2yNpho0iWhhsONHT570yDGyDVJtMzdr4Gf54AIvY9C2C5Swx/tqF6EhdQ=
> =Cbls
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Container-tools mailing list
> Container-tools at redhat.com
> https://www.redhat.com/mailman/listinfo/container-tools
More information about the Container-tools
mailing list