[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Verification of downloads/mirrors from $MIRROR//debian/dists/jessie/main/installer-amd64/


I'm using libvirt/virt-install and Debian (stable) as guest system for a
few VMs and I'd like to use a trusted/verifiable source for the Debian
system which ends up running inside those VMs.

Using `virt-install` provides several ways of how to install/bootstrap
such a system, however as I need to inject a preseed script (d-i), it
apparently only leaves me with the option of pointing to the location of
an installer via `--location`.

Background is that injecting preseed scripts only work when
`virt-install` is invoked with `--location` (not `--cdrom`). Although
according to the man page it should work, ISO images - which could be
easily verified - can't be used in conjunction with `--location`.

That leaves me with invoking `virt-install` with e.g.
    /var/lib/libvirt/roots/debian/dists/jessie/main/installer-amd64/` ,
or similar.

However for those bootstrapping methods I fail to find any way of
verification (signatures, checksumming, etc.) at all.
Even simple HTTPS wasn't available on *any* of the mirrors I tried.

So, my question basically is: Is there any way for me to verify the
downloaded installer which I seem to need when using `virt-install` in
conjunction with a preseed-script?
Alternative: Can I inject a preseed script when using `virt-install` in
conjunction with a verifiable ISO installation media?

Thanks a lot in advance

  - mirko

Reply to: