Checking file hash from virtio iso?

bbgeek17 said:
That depends on the hash type that you are comparing against: md5, sha, etc.

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox
Click to expand...
Thank you for your answer.

My question was poorly written, I can see that know.

I can of course check the hash (comparing against md5 or sha256) from the iso file, but I can't know is that hash correct, because I don't see checksum on proxmox wiki. How I can be sure my iso file is correct after have I downloaded it?
 
tt01x said:
but I can't know is that hash correct, because I don't see checksum on proxmox wiki. How I can be sure my iso file is correct after have I downloaded it?
Click to expand...
Proxmox wiki points to an external resource. That resource is not maintained by PVE in any way. If that resource does not provide the means to ensure the file was not tampered with, I guess you just have to trust it. On the other hand if you think that the website that provides ISO is compromised, then I dont think you can trust the hash either...

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox
 
Looking at the repo file https://fedorapeople.org/groups/virt/virtio-win/:
Code: 
[virtio-win-latest]
name=Latest virtio-win builds
baseurl=https://fedorapeople.org/groups/virt/virtio-win/repo/latest
enabled=0
skip_if_unavailable=1
gpgcheck=0

Since no signed GPG key is provided and gpg check is disabled, the only way to be 100% certain is to download the source, ensure it contains no backdoors/etc and build your own... Somewhat time consuming.

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox
 
bbgeek17 said:
Proxmox wiki points to an external resource. That resource is not maintained by PVE in any way. If that resource does not provide the means to ensure the file was not tampered with, I guess you just have to trust it. On the other hand if you think that the website that provides ISO is compromised, then I dont think you can trust the hash either...

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox
Click to expand...
This true, thank you. I was hoping if someone knows where to find the checksum, even though it's from external resource.
 
bbgeek17 said:
Looking at the repo file https://fedorapeople.org/groups/virt/virtio-win/:
Code: 
[virtio-win-latest]
name=Latest virtio-win builds
baseurl=https://fedorapeople.org/groups/virt/virtio-win/repo/latest
enabled=0
skip_if_unavailable=1
gpgcheck=0

Since no signed GPG key is provided and gpg check is disabled, the only way to be 100% certain is to download the source, ensure it contains no backdoors/etc and build your own... Somewhat time consuming.

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox
Click to expand...

I think I will trust that this file is not tampered with. I would think almost everyone who installs Windows VM on proxmox will download this iso file and install drivers and qemu agent. Thank you bbgeek17 for you answers.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back