Unable to cheksum with `vagrant add` boxes from to app.vagrantup.com

[emmanuel.ka...@gmail.com]

Hi !

I am one of the Debian developper releasing the Vagrant base boxes available in as debian/stretch64 on app.vagrantup.com

One user recently reported to us that when using the `vagrant add` command, any madeup checksum given with `--checksum` would be considered as valid.

Looking at the fine manual at https://www.vagrantup.com/docs/cli/box.html#options-for-direct-box-files

```

Checksums for versioned boxes or boxes from HashiCorp's Vagrant Cloud: For boxes from HashiCorp's Vagrant Cloud, the checksums are embedded in the metadata of the box. The metadata itself is served over TLS and its format is validated.

```

I see two issues :

 * shouldn't the `vagrant add` command fails when `--checksum` is used and the box is added from VagrantCloud ? 

 * generally, how could we (Vagrant box maintainers) generate a checksum as and have it verified when downloading a box ?

I know it's possible to grok the link from `vagrant add`, download the box with curl,

and add the box locally, but it kinds of defeats the purpose of having a central registry (versioning, etc ...)

This kind of checksumming is important because I am signing the checksums with a GPG key available in the Debian keyring, building a direct trust link with end users.

Debian is not the only one having a problem here, I talked to the maintainer of the Centos Vagrant boxes, and Centos Boxes have exactly the same issue: if you follow the instructions from https://seven.centos.org/2017/10/updated-centos-vagrant-images-available-v1710-01/ and replace the checksum with `1234`, `vagrant add` will add the box without any error.

[emmanuel.ka...@gmail.com]

So no one is interested on verifiying the intergrity of the Vagrant Cloud boxes ? ;)