[virt-tools-list] Verification of software downloads with virt-install --location?

Simon Josefsson simon at josefsson.org
Thu Apr 30 12:08:56 UTC 2015

Hi.  I'm experimenting with using 'virt-install --location' for
creating virtual machines for myself.  I'm installing Debian Jessie
VM's, if that matters, so the invocation looks something like this:

virt-install \
    --name=dist.sjd.se \
    --ram=1024 \
    --os-type=linux --os-variant=debianwheezy \
    --initrd-inject=preseed.cfg \
    --extra-args="auto=true console=tty0 console=ttyS0,115200" \
    --disk=$output,size=4,format=qcow2 \
    --serial pty \
    --location=http://ftp.se.debian.org/debian/dists/jessie/main/installer-amd64 \
    --nographics \

However what is not clear to me is if there is any cryptographic
verification of the downloaded kernel/initrd-pair?  I can't find any
documentation on how to configure the PGP public key to trust for this
download, nor any checksum values to double-check it with.

If 'virt-install --location' does not check the integrity
of the kernel/initrd download, how do people protect themselves against
man-in-the-middle attacks replacing the kernel/initrd files with
trojaned versions?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signatur
URL: <http://listman.redhat.com/archives/virt-tools-list/attachments/20150430/1f269417/attachment.sig>

More information about the virt-tools-list mailing list