Report Bug · Request Feature

Table of Contents

1. about
2. architecture
3. features
4. supported distributions
5. installation
6. usage
7. configuration
8. project structure
9. faq

---

about

Datacenter Image Trust is a CLI tool designed to securely download and verify Linux distribution images.

It ensures that downloaded ISO images are authentic and untampered by validating:

• GPG signatures
• SHA256 checksums
• trusted signing keys
• allowed distribution hosts

The tool is built for infrastructure, homelab, and security-focused environments where trust in downloaded artifacts is critical.

architecture

Important

This tool enforces a full trust chain from download to verification.

flowchart LR
    A[User CLI]
    B[Provider Resolver]
    C[Remote Mirror]
    D[Checksum File]
    E[GPG Signature]
    F[ISO Image]
    G[Local Trust Store]

    A --> B
    B --> C
    C --> D
    C --> E
    C --> F

    D -->|verify| E
    F -->|hash check| D
    E -->|validate key| G

Loading

features

feature	description
multi-distribution	Ubuntu, Debian, Fedora support
GPG verification	validates checksum signatures
SHA256 validation	ensures ISO integrity
trust policy	validates trusted keys and hosts
offline mode	verify previously downloaded images
JSON output	automation and scripting friendly
image listing	discover available ISOs
image selection	manually select specific ISO
progress display	real-time download feedback

supported distributions

distribution	status	notes
Ubuntu	stable	LTS and point releases supported
Debian	stable	archive + current releases
Fedora	stable	recent releases (tested: 42, 43)

installation

1. clone repository

git clone https://github.com/Pr0xyG33k/datacenter_image_trust.git
cd datacenter_image_trust

2. install dependencies

pip install -r requirements.txt

3. run tests (optional)

PYTHONPATH=src pytest -q

usage

Note

The tool automatically resolves ISO, downloads required artifacts, and verifies trust chain.

basic usage

bin/datacenter-image-trust --release 24.04

list available images

bin/datacenter-image-trust \
  --distribution ubuntu \
  --release 24.04 \
  --list

select specific image

bin/datacenter-image-trust \
  --distribution ubuntu \
  --release 24.04 \
  --select ubuntu-24.04.4-desktop-amd64.iso

offline verification

bin/datacenter-image-trust \
  --distribution fedora \
  --release 43 \
  --image-type server-netinst \
  --verify-only

json output

bin/datacenter-image-trust \
  --distribution ubuntu \
  --release 24.04 \
  --json

main options

--distribution target distribution (ubuntu, debian, fedora)
--release release version or codename
--image-type type of ISO (server, desktop, netinst, etc.)
--list list available images
--select manually select ISO
--verify-only skip download, verify local files
--no-download disable downloads
--force-download re-download even if file exists
--json output result in JSON
--verbose enable detailed logs

configuration

The tool relies on local configuration files:

application configuration

conf/application.yml

distribution configuration

conf/distributions/
  ubuntu.yml
  debian.yml
  fedora.yml

trust store

trust/
  <distribution>/
    keyrings/
    fingerprints/

project structure

src/
  datacenter_image_trust/
    cli.py
    downloader.py
    providers/
    models.py

conf/
  application.yml
  distributions/

trust/
  <distribution>/
    keyrings/
    fingerprints/

var/
  downloads/
  cache/

tests/

faq

why not use sha256sum manually?

Because the checksum itself must be trusted.
This tool verifies checksum authenticity via GPG.

why is gpg verification important?

Without signature validation, checksums can be replaced by malicious actors.

why enforce trusted hosts?

To prevent downloads from untrusted mirrors or compromised sources.

is this tool production-ready?

It is designed for homelab and infrastructure environments requiring strong verification guarantees.