Verification of downloads/mirrors from $MIRROR//debian/dists/jessie/main/installer-amd64/
Hello,
I'm using libvirt/virt-install and Debian (stable) as guest system for a
few VMs and I'd like to use a trusted/verifiable source for the Debian
system which ends up running inside those VMs.
Using `virt-install` provides several ways of how to install/bootstrap
such a system, however as I need to inject a preseed script (d-i), it
apparently only leaves me with the option of pointing to the location of
an installer via `--location`.
Background is that injecting preseed scripts only work when
`virt-install` is invoked with `--location` (not `--cdrom`). Although
according to the man page it should work, ISO images - which could be
easily verified - can't be used in conjunction with `--location`.
That leaves me with invoking `virt-install` with e.g.
`--location
/var/lib/libvirt/roots/debian/dists/jessie/main/installer-amd64/` ,
`--location
http://ftp.debian.org/debian/dists/jessie/main/installer-amd64/`
or similar.
However for those bootstrapping methods I fail to find any way of
verification (signatures, checksumming, etc.) at all.
Even simple HTTPS wasn't available on *any* of the mirrors I tried.
So, my question basically is: Is there any way for me to verify the
downloaded installer which I seem to need when using `virt-install` in
conjunction with a preseed-script?
Alternative: Can I inject a preseed script when using `virt-install` in
conjunction with a verifiable ISO installation media?
Thanks a lot in advance
- mirko
Reply to: