Add checksum for the images

[simaishi]

@hayesr We discussed this a while ago, but not sure where we left off... A few things we discussed were:

• create a file that contains SHA for all images for each nightly/release build or 1 file per image?
• keep SHA for every build, or just latest nightly + release builds?

[simaishi]

@Fryguy @bdunne I think one of you mentioned json can be parsed? Providing something like this will work?

manageiq-azure-devel.json
{
  "date": "2019-12-12",
  "sha256": "9474de767b4c832a048c98044debf7bdcfdd87d73d91c442ca77fa3e572dba8e",
  "size": "1.1 GB"
}

This will take care of #655 and #694 as well.

[Fryguy]

@simaishi Yeah I think that could work

[chessbyte]

@simaishi Not clear on the proposal here. What process will generate the manageiq-azure-devel.json file and where will it be stored?
/cc @Fryguy @bdunne

[simaishi]

@chessbyte We were thinking we'll create the file during build and upload to the same server where the images are (not sure about the exact location).

[chessbyte]

@simaishi that would be cool - then the code that builds the downloads page can validate each downloadable URL it presents against that source of truth. Let me know when there is something up there and I can make a PR here to validate against it.

[bdunne]

There's already the ETag header on the file that can be used to validate the MD5 sum of the file. Is that good enough?

[Fryguy]

ETag is a part of the HEAD request, and I think you can also get the upload date

[Fryguy]

HEAD releases.manageiq.org/manageiq-vsphere-jansa-1-alpha1.ova

Content-Length: 1213552640
Last-Modified:  Thu, 26 Mar 2020 12:21:01 GMT
ETag:           556f00b222fc8b04484fc5c9a07163bf
X-Timestamp:    1585225260.49365

[simaishi]

Ah, ETag is enough to cover this issue.

For the nightly build date (#655), we probably want to get it from the file name as build date isn't upload date?

And if we want to validate what we built is what was uploaded, then we'll need to generate something at build time, but that's a different issue, I guess.

[Fryguy]

I'm less concerned about the validation, though I could see an MD5 (ETag is MD5) generated on the build side and uploaded. MD5 isn't a secure hash, however it's good enough to ensure that someone didn't get a corrupted download.

[simaishi]

Agreed, the original request is for users to be able to validate images they downloaded.

[Fryguy]

@bdunne If we change hosting does the new hosting have ETag, and, if so, what hash function does it use?

[bdunne]

The alternative hosting provider that I'm looking at is the same (ETag using MD5sum)