I had a question here..So if I sign a image file for a virtual machine using the command,How do I verify that image file has not changed? gpg --output web-test.img.sig --sign web-test.img Executing the above gives me a "web-test.img.sig" file.Whether verifying this would be sufficient? gpg --verify web-test.img.sig gpg: Signature made Sun 06 Apr 2014 09:57:16 PM EDT using RSA key ID 3D3AC480 gpg: Good signature from "shiva (test) Should I boot the image now using the .sig file?Looking forward to your reply. On Sun, Apr 6, 2014 at 3:44 AM, Milan Broz wrote: > On 04/06/2014 12:11 AM, Shivaramakrishnan Vaidyanathan wrote: > > I have few questions is this regard.I am ready to perform the offline > > integrity check.I can have the image files in the nfs-share archived > > live to another partition that is not mounted.Will I be able to > > perform the integrity check at the block level in this case?Each time > > virtual machine boots up,I need to be able to verify if the image was > > the same as previous boot.> Is this achievable? > > > > Will these steps work? > > 1. Image file (VM1 - Virtual hard disk file mounted in nfs share > partition). > > 2.I rsync the directory of nfs-share to another partition. > > 3.Then whether I will be able to tell whether the virtual image file has > been altered/changed from the previous boot? > > I am not sure if I understand what you are trying to do here but if it > is file image (full device image shared on nfs) why not use simple gpg > file signature and verify it before the VM boot? > > ... > > > Also I dont get the notion "Dm-verity was designed to provide > verification of (read-only) device (to provide verified boot path), all IOs > must go through dm-verity." > > The dm-verity was designed for ChromeOS for verified boot, IOW it verifies > blocks on underlying block device on-the-fly (when system reads them > through > verity mapped device). > This means, that the dm-verity must be underlying device for all read > operations (to allow it stop reads once it detect wrong hash). > > I know documentation is terse but at least something is here > http://code.google.com/p/cryptsetup/wiki/DMVerity (see Theory of > operation). > > Milan >