is there a way to check signature/hash of the iso file and autoinstall seed file (user-data)?

we can use following kernel parameter to automatically install ubuntu server: kernel vmlinuz verbose debug=1 ip=dhcp boot=casper netboot=url url=<url of iso file> autoinstall ds=nocloud-net;s=<cloud init yaml file root url> I wonder is there a way to let the installer check the signature/hash of the iso file and the user-data?

The ISO file

It looks like casper does use the md5sum.txt file within the iso to confirm the contents are correct. The output of this check is written to /run/casper-md5check.json. This check is done after the iso has been mounted to /cdrom. If you want to check the iso itself then you would need to write a custom check within the initramfs root. I don't believe the iso is accessible in the installer environment because it has been deleted. This is what the mount command shows in the installer environment after the initramfs root has been deleted.

/ubuntu-20.04.3-live-server-amd64.iso (deleted) on /cdrom type iso9660 (ro,relatime,nojoliet,check=s,map=n,blocksize=2048)

The user-data file

I do not see anything built-in to cloud-init to verify a seed file. I believe this is something you would have to code yourself. It does look like the user-data file gets downloaded in the installer environment to /var/lib/cloud/instance/user-data.txt.

There are a number of ways you could add a checksum validation. The approach would depend if you just want to guarantee file integrity or if you want to guarantee security.