[Container-tools] signing vagrant payload
Karanbir Singh
kbsingh at redhat.com
Mon Feb 29 14:01:42 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 29/02/16 13:43, Lalatendu Mohanty wrote:
> On 02/29/2016 06:31 PM, Karanbir Singh wrote: On 29/02/16 12:15,
> Karanbir Singh wrote:
>>>> hi,
>>>>
>>>> Has there been any work done to see how one might sign and
>>>> then validate a vagrant box at all ? I'm looking for options
>>>> and everyone of them seems to require an additional component
>>>> on the client side ( which might defeat the purpose a bit ).
> it looks like the ImgFac created box's dont have checksum included
> in the box. At the moment the box looks like:
>
> metadata.json: {"provider": "libvirt", "format": "qcow2",
> "virtual_size": 41}
>
> we should be able to add a sha type and a sum there, so its
> validated before being instantiated.
>
>> +1, thats a good idea. Also we should try notary [1] (saw
>> someone mentioned in twitter for your question)
>
>> [1] https://github.com/docker/notary
>
yeha, note that Justin worked on defining that tool set - so might be
opinionated around its use - we should try it out for sure, but i dont
think overall this is the place for us to end up at.
I'm also talking to the digicert guys around using code signing certs
for extended roles like this - will feedback here what comes from that.
Finally, a gpg detached sig, hosted in the box itself ( that signs the
metadata, which in turn has the sha sums ) might be another route (
additional route ?) but likely needs a vagrant plugin to do the
validation.
- --
Karanbir Singh, Project Lead, The CentOS Project, London, UK
Red Hat Ext. 8274455 | DID: 0044 207 009 4455
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBAgAGBQJW1E9GAAoJEI3Oi2Mx7xbtF7oH/jHVugP3zh1L7rtBHO4dw+2b
QqIOhoZEkdpbhjDfFZY18qmHt5C4ieBSiVOqIfjxsxldcfdd39bOpvRACga1woJq
iLU99VmYN8bwdgdl3Rjcq+NBovkJnVx0otnP/763uF665F/c+IRqBsF7l7TMRuJx
Cp2vk12gyz6fwXryQfUgZU5zf4QQBWYmMaCWtXQU4bP5YHADFRnnPze33SclkYlc
fOF0aOoHGbxEnjAn6xIOTG9hluMRT4gM2M10hKwE8h1rptALhNjFT3pSN1hv7byb
jdK09XRAQr/SfMzd6s5DN5xWyz8SfPdstUjMNACCoxjxI+KRdqojqg2ZlJ2zeA0=
=Y91P
-----END PGP SIGNATURE-----
More information about the Container-tools
mailing list