Skip to content

Add QEMU Guest Agent checksum verification with SHA256#413

Closed
kallioli wants to merge 1 commit into
cloudbase:masterfrom
kallioli:feature/qemu-ga-checksum-verification
Closed

Add QEMU Guest Agent checksum verification with SHA256#413
kallioli wants to merge 1 commit into
cloudbase:masterfrom
kallioli:feature/qemu-ga-checksum-verification

Conversation

@kallioli

@kallioli kallioli commented Dec 11, 2025

Copy link
Copy Markdown

This PR adds SHA256 checksum verification for QEMU Guest Agent installation, enhancing security while maintaining full backward compatibility.

New Features

  • New [virtio_qemu_guest_agent] configuration section with url and checksum parameters
  • SHA256 checksum verification in Download-QemuGuestAgent function
  • Priority-based configuration system

Configuration Example

[custom]
install_qemu_ga=True
[virtio_qemu_guest_agent]
url=[https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-qemu-ga/qemu-ga-win-VERSION/qemu-ga-x64.msi](https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-qemu-ga/qemu-ga-win-VERSION/qemu-ga-x64.msi)
checksum=<SHA256_CHECKSUM>

Benefits

Security: Verifies downloaded file integrity
Control: Know exactly which version will be installed
Protection: Prevents man-in-the-middle attacks
Compliance: Facilitates security audits
Backward Compatibility
All existing configurations continue to work without modification:

  • install_qemu_ga=True → Uses default URL
  • install_qemu_ga= → Uses custom URL without checksum

Files Modified

Config.psm1
WinImageBuilder.psm1
Examples/windows-image-config-example.ini
README.md

Add QEMU Guest Agent checksum verification with SHA256
6c810da 
* Add new [virtio_qemu_guest_agent] configuration section with url and checksum options
* Implement SHA256 checksum verification in Download-QemuGuestAgent function
* Update documentation with QEMU Guest Agent configuration examples and checksum usage
* Maintain full backward compatibility with existing configurations
@kallioli kallioli mentioned this pull request Dec 11, 2025
Closed
kallioli added a commit to kallioli/windows-imaging-tools that referenced this pull request Jun 5, 2026
@kallioli @claude
Add optional custom URL and SHA256 checksum for QEMU guest agent
b62d273 
Add a [virtio_qemu_guest_agent] config section with two optional options:

  * url: overrides the default QEMU guest agent MSI installer URL selected
    by install_qemu_ga (which must be set to True).
  * checksum: SHA256 hash of the installer. When set, the downloaded MSI is
    verified with Get-FileHash and the image build fails on mismatch. It
    applies to the installer selected by either url or the default URL.

Download-QemuGuestAgent gains optional -CustomUrl and -Checksum parameters
and warns when a custom URL is used without a checksum. The default behaviour
(install_qemu_ga True/False/custom-URL string) is unchanged, so this is fully
backward compatible. Documented in the example config and README.

Relates-to: cloudbase#413

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This was referenced Jun 5, 2026
Closed
Open
@kallioli kallioli closed this Jun 5, 2026
@kallioli kallioli deleted the feature/qemu-ga-checksum-verification branch June 5, 2026 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kallioli