To vigilant users, authenticity matters. Aside from checking hashes of images, you might also want to know where the box images you use in Vagrant are downloaded from. However, this information is not explicitly provided on HashiCorp’s Vagrant Cloud. Here is how you can uncover this information….
How-To
Take box centos/7 as an example. From its information page you just got an ” Externally hosted (cloud.centos.org)” label, no complete URL. In order to get the actual location of the image, the following script is used:
wget --quiet --output-document=- "https://vagrantcloud.com/centos/7" | python -m json.tool | less --chop-long-lines
In the output, you’ll see URLs to box images. At the time of writing, the default box image URL for VirtualBox provider is https://vagrantcloud.com/centos/boxes/7/versions/1802.01/providers/virtualbox.box. Choose whichever image URL depending on the version and provider you’re interested, then you can further run:
wget --server-response --spider "https://vagrantcloud.com/centos/boxes/7/versions/1802.01/providers/virtualbox.box"
In this example, you’ll find it redirects you to https://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-1802_01.VirtualBox.box, which is an image published on official CentOS website.
https://atlas.hashicorp.com/centos/boxes/7 is reading:
CentOS Linux 7/x86_64 Vagrant images updated to 30 September 2016.
Full release notes are published at : https://seven.centos.org/2016/10/updated-centos-vagrant-images-available-v1609-01/
…
which is the official centos images. But you are right, it is not explicitely stated that the redirect is going to centos.org.
Thanks for the update! I’ve made some adjustments to the article to reflect the fact that image URL may change over time.
Got a bit inspired by the info from your post, and created a script which does all this automated.
The first revision of the script is here:
https://gist.github.com/gnanet/46556aca7e6e2250f0191881be75a5c5
Good to know! Thanks!