[Container-tools] signing vagrant payload
Karanbir Singh
kbsingh at redhat.com
Mon Feb 29 17:53:10 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 29/02/16 17:43, Lalatendu Mohanty wrote:
> On 02/29/2016 06:31 PM, Karanbir Singh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 29/02/16 12:15, Karanbir Singh wrote:
>>> hi,
>>>
>>> Has there been any work done to see how one might sign and
>>> then validate a vagrant box at all ? I'm looking for options
>>> and everyone of them seems to require an additional component
>>> on the client side ( which might defeat the purpose a bit ).
>> it looks like the ImgFac created box's dont have checksum
>> included in the box. At the moment the box looks like:
>>
>> metadata.json: {"provider": "libvirt", "format": "qcow2",
>> "virtual_size": 41}
>>
>> we should be able to add a sha type and a sum there, so its
>> validated before being instantiated.
>
> Looks like coreos folks are already using it [1] [2].
>
> [1]
> http://alpha.release.core-os.net/amd64-usr/current/coreos_production_v
agrant.json
>
> [2]
> https://github.com/coreos/coreos-kubernetes/blob/master/single-node/Va
grantfile
Any
>
box built with packer, or assembled at atlast.hashicorp has this
included already. the extensive bento repos from the guys at chef have
lots more examples as well.
- --
Karanbir Singh, Project Lead, The CentOS Project, London, UK
Red Hat Ext. 8274455 | DID: 0044 207 009 4455
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBAgAGBQJW1IWGAAoJEI3Oi2Mx7xbtfQoH+wabCt6ptjgC2XFE6h4PA8Tr
6wVn+8IyAQasjPWiWhlOvKp7D3ychoK6YA4y3G0sBwhkl48ix9gXIJ+SL494/cBQ
VtrviIG/Oj1COSDb6WDmwnnHZ6gbVw3SHueDA03aLNDfRZydD7ndHIjGAX35yPVL
iwOoExU7z8VbYgd5NJ1+WbeRixwrpqghV9dMOP8IvLR5gQC975Wonmk9a6mXh/Gc
VfqHnZ0RyiAJNm/bAWbBZJg5ua7kVD3z/NxOS9ZMPlJoK1kcE3SGols0+ELAXmki
qj0NlZE6hIhWxkHFqfQMU5xuLUy7a7VSCj/9WNmIFrCm5ZUXaJB9cFF6vlaejjQ=
=sCxh
-----END PGP SIGNATURE-----
More information about the Container-tools
mailing list