Hi !
I am one of the Debian developper releasing the Vagrant base boxes available in as debian/stretch64 on
app.vagrantup.com
One user recently reported to us that when using the `vagrant add` command, any madeup checksum given with `--checksum` would be considered as valid.
```
Checksums for versioned boxes or boxes from HashiCorp's Vagrant Cloud: For boxes from HashiCorp's Vagrant Cloud, the checksums are embedded in the metadata of the box. The metadata itself is served over TLS and its format is validated.
```
I see two issues :
* shouldn't the `vagrant add` command fails when `--checksum` is used and the box is added from VagrantCloud ?
* generally, how could we (Vagrant box maintainers) generate a checksum as and have it verified when downloading a box ?
I know it's possible to grok the link from `vagrant add`, download the box with curl,
and add the box locally, but it kinds of defeats the purpose of having a central registry (versioning, etc ...)
This kind of checksumming is important because I am signing the checksums with a GPG key available in the Debian keyring, building a direct trust link with end users.