search

ContainerCraft / kmi

KubeVirt Virtual Machine Disk Image Library
Apache License 2.0
10 stars 1 forks source link

Enforce sha sum checking #4

Closed usrbinkat closed 2 years ago

usrbinkat commented 3 years ago

Image downloads should validate published shasum for security and reliability

jbpratt commented 2 years ago

sha sum gathering can be a part of the auto-update image index then validated on download of the image

        "amd64": {
          "url": "https://mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg-20211115.39179.qcow2",
          "sha256sum": "...",
        }

we can also bake this into the image as a label

usrbinkat commented 2 years ago

Smart. I'll get on that.

jbpratt commented 2 years ago

basic implementation in https://github.com/ContainerCraft/kmi/commit/32e9b355f48490d7f409f895f73582c1094da17c#diff-78a8a19706dbd2a4425dd72bdab0502ed7a2cef16365ab7030a5a0588927bf47

jbpratt commented 2 years ago

closing this as it has been implemented and will suffice for now.