Hi ! I am one of the Debian developper releasing the Vagrant base boxes available in as debian/stretch64 on app.vagrantup.com
One user recently reported to us that when using the `vagrant add` command, any madeup checksum given with `--checksum` would be considered as valid. Looking at the fine manual at https://www.vagrantup.com/docs/cli/box.html#options-for-direct-box-files ``` Checksums for versioned boxes or boxes from HashiCorp's Vagrant Cloud: For boxes from HashiCorp's Vagrant Cloud, the checksums are embedded in the metadata of the box. The metadata itself is served over TLS and its format is validated. ``` I see two issues : * shouldn't the `vagrant add` command fails when `--checksum` is used and the box is added from VagrantCloud ? * generally, how could we (Vagrant box maintainers) generate a checksum as and have it verified when downloading a box ? I know it's possible to grok the link from `vagrant add`, download the box with curl, and add the box locally, but it kinds of defeats the purpose of having a central registry (versioning, etc ...) This kind of checksumming is important because I am signing the checksums with a GPG key available in the Debian keyring, building a direct trust link with end users. Debian is not the only one having a problem here, I talked to the maintainer of the Centos Vagrant boxes, and Centos Boxes have exactly the same issue: if you follow the instructions from https://seven.centos.org/2017/10/updated-centos-vagrant-images-available-v1710-01/ and replace the checksum with `1234`, `vagrant add` will add the box without any error. -- This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list. GitHub Issues: https://github.com/mitchellh/vagrant/issues IRC: #vagrant on Freenode --- You received this message because you are subscribed to the Google Groups "Vagrant" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/b9050f14-6ea6-40d8-84bd-6c8c34db39af%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
