To vigilant users, authenticity matters. Aside from checking hashes of images, you might also want to know where the box images you use in Vagrant are downloaded from. However, this information is not explicitly provided on HashiCorp’s Vagrant Cloud. Here is how you can uncover this information….
centos/7 as an example. From its information page you just got an ” Externally hosted (cloud.centos.org)” label, no complete URL. In order to get the actual location of the image, the following script is used:
wget --quiet --output-document=- "https://vagrantcloud.com/centos/7" | python -m json.tool | less --chop-long-lines
In the output, you’ll see URLs to box images. At the time of writing, the default box image URL for VirtualBox provider is
https://vagrantcloud.com/centos/boxes/7/versions/1802.01/providers/virtualbox.box. Choose whichever image URL depending on the version and provider you’re interested, then you can further run:
wget --server-response --spider "https://vagrantcloud.com/centos/boxes/7/versions/1802.01/providers/virtualbox.box"
In this example, you’ll find it redirects you to
https://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-1802_01.VirtualBox.box, which is an image published on official CentOS website.