Unable to cheksum with `vagrant add` boxes from to app.vagrantup.com

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to cheksum with `vagrant add` boxes from to app.vagrantup.com

emmanuel.kasper.debian
Hi !
I am one of the Debian developper releasing the Vagrant base boxes available in as debian/stretch64 on app.vagrantup.com

One user recently reported to us that when using the `vagrant add` command, any madeup checksum given with `--checksum` would be considered as valid.

Looking at the fine manual at https://www.vagrantup.com/docs/cli/box.html#options-for-direct-box-files

```
Checksums for versioned boxes or boxes from HashiCorp's Vagrant Cloud: For boxes from HashiCorp's Vagrant Cloud, the checksums are embedded in the metadata of the box. The metadata itself is served over TLS and its format is validated.
```

I see two issues :

 * shouldn't the `vagrant add` command fails when `--checksum` is used and the box is added from VagrantCloud ? 

 * generally, how could we (Vagrant box maintainers) generate a checksum as and have it verified when downloading a box ?
I know it's possible to grok the link from `vagrant add`, download the box with curl,
and add the box locally, but it kinds of defeats the purpose of having a central registry (versioning, etc ...)
This kind of checksumming is important because I am signing the checksums with a GPG key available in the Debian keyring, building a direct trust link with end users.

Debian is not the only one having a problem here, I talked to the maintainer of the Centos Vagrant boxes, and Centos Boxes have exactly the same issue: if you follow the instructions from https://seven.centos.org/2017/10/updated-centos-vagrant-images-available-v1710-01/ and replace the checksum with `1234`, `vagrant add` will add the box without any error.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/vagrant/issues
IRC: #vagrant on Freenode
---
You received this message because you are subscribed to the Google Groups "Vagrant" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/b9050f14-6ea6-40d8-84bd-6c8c34db39af%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Unable to cheksum with `vagrant add` boxes from to app.vagrantup.com

emmanuel.kasper.debian
So no one is interested on verifiying the intergrity of the Vagrant Cloud boxes ? ;)

Le vendredi 10 novembre 2017 11:40:32 UTC+1, [hidden email] a écrit :
Hi !
I am one of the Debian developper releasing the Vagrant base boxes available in as debian/stretch64 on <a href="http://app.vagrantup.com" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fapp.vagrantup.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFo4uMYHjzdc3XHisjGVj3SzJcdYQ&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fapp.vagrantup.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFo4uMYHjzdc3XHisjGVj3SzJcdYQ&#39;;return true;">app.vagrantup.com

One user recently reported to us that when using the `vagrant add` command, any madeup checksum given with `--checksum` would be considered as valid.

Looking at the fine manual at <a href="https://www.vagrantup.com/docs/cli/box.html#options-for-direct-box-files" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.vagrantup.com%2Fdocs%2Fcli%2Fbox.html%23options-for-direct-box-files\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHTau6u-wI5jft7o_WIyEiy7iBUMw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.vagrantup.com%2Fdocs%2Fcli%2Fbox.html%23options-for-direct-box-files\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHTau6u-wI5jft7o_WIyEiy7iBUMw&#39;;return true;">https://www.vagrantup.com/docs/cli/box.html#options-for-direct-box-files

```
Checksums for versioned boxes or boxes from HashiCorp's Vagrant Cloud: For boxes from HashiCorp's Vagrant Cloud, the checksums are embedded in the metadata of the box. The metadata itself is served over TLS and its format is validated.
```

I see two issues :

 * shouldn't the `vagrant add` command fails when `--checksum` is used and the box is added from VagrantCloud ? 

 * generally, how could we (Vagrant box maintainers) generate a checksum as and have it verified when downloading a box ?
I know it's possible to grok the link from `vagrant add`, download the box with curl,
and add the box locally, but it kinds of defeats the purpose of having a central registry (versioning, etc ...)
This kind of checksumming is important because I am signing the checksums with a GPG key available in the Debian keyring, building a direct trust link with end users.

Debian is not the only one having a problem here, I talked to the maintainer of the Centos Vagrant boxes, and Centos Boxes have exactly the same issue: if you follow the instructions from <a href="https://seven.centos.org/2017/10/updated-centos-vagrant-images-available-v1710-01/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fseven.centos.org%2F2017%2F10%2Fupdated-centos-vagrant-images-available-v1710-01%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGqE60qi3IXKURL1SzHQ98QFW4Ssg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fseven.centos.org%2F2017%2F10%2Fupdated-centos-vagrant-images-available-v1710-01%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGqE60qi3IXKURL1SzHQ98QFW4Ssg&#39;;return true;">https://seven.centos.org/2017/10/updated-centos-vagrant-images-available-v1710-01/ and replace the checksum with `1234`, `vagrant add` will add the box without any error.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/vagrant/issues
IRC: #vagrant on Freenode
---
You received this message because you are subscribed to the Google Groups "Vagrant" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/55eef529-3ac0-49ff-8ead-76d1893be6cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.