Currently the geoip db is downloaded during creation of ISO by:
it can also be updated after install by issuing the command:
update geoip
It would have been handy if both the 40-init-geoip-database.chroot and the script being runned for "update geoip" could do a sha1sum verification of downloaded (and extracted) content. Perhaps when the file is downloaded that it also creates a .sha1 and .sha1_expected in the same directory?
Like download to /tmp and if successful verification move it to the actual location of /usr/share/vyos-geoip/dbip-country-lite.csv.gz.
Note that the checksum available at db-ip.com is for the extracted file and not the compressed file.
The current checksum is currently available at:
https://db-ip.com/db/download/ip-to-country-lite
It can be debated what should happen if that fails.
Like for creation of ISO if that should be a hard stop (error and stop the whole process) or a soft stop (warning and continue with creating the ISO) where the later could just create an additional file such as:
/usr/share/vyos-geoip/dbip-country-lite.csv.gz.WRONG_CHEKSUM
to contain for example:
date and time: source url: checksum url: expected sha1: actual sha1:
along with a log entry that the checksum was incorrect but its moving on (same if you run update geoip in CLI where the warning also should be printed to the console).
Having the checksum from time of creation stored both as .sha1 and .sha1_expected will make it possible to verify the file later on (like if you suspect something went bad with the storage).