Saturday, December 3, 2022

Signing a Virtual Appliance (.OVA)

I was working on VirtualBox VMs to publish as virtual appliances (.OVA files). When I was testing the import into VirtualBox, I found that there was a warning message that the appliance is not signed:

 I was able to muddle through a work-around. The workaround involves getting a tool from VMWare (ovftool.exe), which seems a bit strange. It allows the import of the OVA, showing the certificate and marking it as 'safe'. It still has a couple of issues. One is an annoying warning message issued while creating the signed file, for which I was unable to find a cure. The other is that it does not seem to contact a time server to timestamp the file. Presumably that means that when the signing certificate expires, you get warnings again when loading. 

I would still like to know how you are supposed to do it properly according to Oracle. Surely Oracle is not using VMWare's software to sign their Virtual Appliances. 

This is my journey under Windows 10. At the end, I have publishable appliance. 

 - You need a virtual appliance (*.ova)

 - You need a signing certificate.

 - You need to have OpenSSL installed. 

 - You need the program ovftool.exe from VMWare

To get the .ova file, you need to export one of your VMs as a virtual appliance:

Open the export virtual appliance dialog:

File->Export Appliance [Alternatively <CTRL>E]

Choose the virtual machine to export. Fill in whatever Virtual system settings apply (in my case, just the name)

For appliance settings, set the Format to Open Virtualization Format 1.0

The 'Write Manifest file' checkbox should be checked.

Click on the <Export> button to write file.

The signing certificate should have been installed in the certificate store. How this is done depends on your certificate provider. 

To get the signing certificate in a usable form, you have to jump through a few hoops to get a .pem file. 

Open the Certificate Manager:

Run certmgr.msc

Open Personal->Certificates and right-click on your signing certificate

Open the All tasks menu and choose Export

This should open the Certificate Export Wizard

Click <Next>

Choose Yes, export the private key 

Click <Next>

Choose Personal Information Exchange - PKCS (.PFX)

Check include all certificates in the certification path

Check Export all extended properties

Check Enable certificate privacy

Click <Next>

Check the Password checkbox and enter and confirm a password [using "IMPPass" in this example]

Change the Encryption dropdown to AES256-SHA256

Click <Next>

Assign the filename and path for the exported certificate. In this example I called it 'MyCert'. Note that you don't put the file extension on the name here. It is added by the Certificate Export Wizard. You should save it on the path where your OVA file was saved. 

Click <Next>

Review settings and Click <Finish>

It should pop up a message box saying the export was successful. Dismiss that.

The next steps are done on the console, so open a console window. Change to the directory where you have saved your OVA and PFX files. 

You now need to convert the certificate to a form that can be used (.pem). To do this, you need to use OpenSSL. Here is the form of the command:

openssl pkcs12 -in MyCert.pfx -out MyCert.pem

Respond to the prompts for Import Password and PEM pass phrase

    Enter Import Password: IMPPass

    Enter PEM pass phrase: PEMPass

    Verifying - Enter PEM pass phrase: PEMPass

Finally, you can sign the exported OVA with ovftool with a command like this:

ovftool --privateKey=MyCert.pem --shaAlgorithm=SHA1 DamnSmall.ova DSL.ova

Opening OVA source: DamnSmall.ova

Opening OVA target: DSL.ova

Writing OVA package: DSL.ova

Transfer Completed

The manifest validates

Enter passphrase for MyCert.pem: PEMPass


 - No supported manifest(sha1, sha256, sha512) entry found for: 'DamnSmall-disk001.vmdk'.Completed successfully

At this point, there should be a signed file called DSL.ova. It will indicate that when imported in VirtualBox.

To test, import the newly created and signed OVA file. Open the import dialog:

File->Import Appliance or alternatively I

Enter the path and name of the signed Virtual Appliance. Click [Next]

The Appliance settings dialog should have text in the bottom left corner indicating that you have signed the appliance, and that it is trusted.

Appliance is signed

No comments:

Linguistic Loot: The Secret Behind English's Global Charm

In the grand bazaar of languages, English is the shopaholic, ever eager to fill its lexical cart with linguistic souvenirs from around the g...