On Fri, 12 Apr 2019, 20:29 Jeremy Stanley, <fungi@yuggoth.org> wrote:

On 2019-04-12 09:27:35 -0500 (-0500), Sean McGinnis wrote:
[...]
> Hmm, according to the spec, Nova verifies those checksums as of Mitaka [0].
> Though Cinder did not get the same enforcement until Rocky [1].
>
> [0] https://specs.openstack.org/openstack/nova-specs/specs/mitaka/implemented/image-verification.html
> [1] https://specs.openstack.org/openstack/cinder-specs/specs/rocky/support-image-signature-verification.html
>
> (And specs are always 100% accurate, right?)

Neat, I had no idea that had improved in the past few years. At any
rate, my main point still stands: if you don't trust the operators
of that environment then the checksums are pure theater, since they
could disable checksum validation or even just serve you a
completely fictional hash from the catalog.

Fictional hash - how true it really is sometimes. Don't trust the checksums. In the cloud I'm using the uploaded image is being automatically converted for a backend storage by a plugin, therefore the checksum us just a trash. And you anyway can't download image back, so you can't do anything with the checksum anyway.

Artem