Skip to main content

Signing a Virtual Appliance (.OVA)

I was working on VirtualBox VMs to publish as virtual appliances (.OVA files). When I was testing the import into VirtualBox, I found that there was a warning message that the appliance is not signed:

 I was able to muddle through a work-around. The workaround involves getting a tool from VMWare (ovftool.exe), which seems a bit strange. It allows the import of the OVA, showing the certificate and marking it as 'safe'. It still has a couple of issues. One is an annoying warning message issued while creating the signed file, for which I was unable to find a cure. The other is that it does not seem to contact a time server to timestamp the file. Presumably that means that when the signing certificate expires, you get warnings again when loading. 

I would still like to know how you are supposed to do it properly according to Oracle. Surely Oracle is not using VMWare's software to sign their Virtual Appliances. 

This is my journey under Windows 10. At the end, I have publishable appliance. 

 - You need a virtual appliance (*.ova)

 - You need a signing certificate.

 - You need to have OpenSSL installed. 

 - You need the program ovftool.exe from VMWare

To get the .ova file, you need to export one of your VMs as a virtual appliance:

Open the export virtual appliance dialog:

File->Export Appliance [Alternatively <CTRL>E]

Choose the virtual machine to export. Fill in whatever Virtual system settings apply (in my case, just the name)

For appliance settings, set the Format to Open Virtualization Format 1.0

The 'Write Manifest file' checkbox should be checked.

Click on the <Export> button to write file.

The signing certificate should have been installed in the certificate store. How this is done depends on your certificate provider. 

To get the signing certificate in a usable form, you have to jump through a few hoops to get a .pem file. 

Open the Certificate Manager:

Run certmgr.msc

Open Personal->Certificates and right-click on your signing certificate

Open the All tasks menu and choose Export

This should open the Certificate Export Wizard

Click <Next>

Choose Yes, export the private key 

Click <Next>

Choose Personal Information Exchange - PKCS (.PFX)

Check include all certificates in the certification path

Check Export all extended properties

Check Enable certificate privacy

Click <Next>

Check the Password checkbox and enter and confirm a password [using "IMPPass" in this example]

Change the Encryption dropdown to AES256-SHA256

Click <Next>

Assign the filename and path for the exported certificate. In this example I called it 'MyCert'. Note that you don't put the file extension on the name here. It is added by the Certificate Export Wizard. You should save it on the path where your OVA file was saved. 

Click <Next>

Review settings and Click <Finish>

It should pop up a message box saying the export was successful. Dismiss that.

The next steps are done on the console, so open a console window. Change to the directory where you have saved your OVA and PFX files. 

You now need to convert the certificate to a form that can be used (.pem). To do this, you need to use OpenSSL. Here is the form of the command:

openssl pkcs12 -in MyCert.pfx -out MyCert.pem

Respond to the prompts for Import Password and PEM pass phrase

    Enter Import Password: IMPPass

    Enter PEM pass phrase: PEMPass

    Verifying - Enter PEM pass phrase: PEMPass

Finally, you can sign the exported OVA with ovftool with a command like this:

ovftool --privateKey=MyCert.pem --shaAlgorithm=SHA1 DamnSmall.ova DSL.ova

Opening OVA source: DamnSmall.ova

Opening OVA target: DSL.ova

Writing OVA package: DSL.ova

Transfer Completed

The manifest validates

Enter passphrase for MyCert.pem: PEMPass

Warning:

 - No supported manifest(sha1, sha256, sha512) entry found for: 'DamnSmall-disk001.vmdk'.Completed successfully

At this point, there should be a signed file called DSL.ova. It will indicate that when imported in VirtualBox.

To test, import the newly created and signed OVA file. Open the import dialog:

File->Import Appliance or alternatively I

Enter the path and name of the signed Virtual Appliance. Click [Next]

The Appliance settings dialog should have text in the bottom left corner indicating that you have signed the appliance, and that it is trusted.

Appliance is signed

Comments

Popular posts from this blog

The system cannot execute the specified program

It always annoys me no end when I get messages like the following: "The system cannot execute the specified program." I got the above error from Windows XP when I tried to execute a program I use all the time. The message is hugely aggravating because it says the obvious without giving any actionable information. If you have such a problem and you are executing from a deep directory structure that may be your problem. It was in my case. Looking on the web with that phrase brought up a bunch of arcane stuff that did not apply to me. It mostly brought up long threads (as these things tend to do) which follow this pattern: 'Q' is the guy with the problem asking for help 'A' can be any number of people who jump in to 'help'. Q: I got this error "The system cannot execute the specified program." when I tried to ... [long list of things tried] A: What program were you running, what operating system, where is the program? What type of

Crucial SSD BIOS update

Executive summary: If Crucial Storage Executive can't see your Crucial drive, you may be able to fix that by re-running as Administrator.  Windows 10 continues to be a nightmare. The latest update has caused my machine to go wonky and it was suggested that, for reasons unknown, my SSD boot drive needed a BIOS update.  The drive in question is a Crucial MX500 CT500MX500 S SD1 and the BIOS update is from M3CR020 to M3CR023.  I initially attempted to burn and boot from a DVD ROM, but that came back with an error:  "could not find kernel image boot/vmlinuz64" You would think that something whose sole purpose is to boot into one program could get that right. That is, you would think that this very basic thing would have been tested prior to release. Sigh. No doubt there is a tortured route to get that thing to boot, but for me there was an easier way. You would think that Crucial would have offered that up first rather than the burnable image, but not in my case.  I then insta

When code writes code, what do developers do?

When code writes code, what do developers do? As we head further into a future where things are automated, people’s last refuge will be curation in a bright future or serving others in a dark future. Curation devolves into saying what you want and iterating through a few rounds of “not that.” As a programmer, I always found automated programming tools laughable. We are still mostly there, but ML/AI is changing that. At one point, many people sagely nodded their heads and said computers would *never* beat a human at chess. Never. I disagreed. I thought that it was ***inevitable*** that they ***would*** beat humans ‘hands down.’ That is well behind us now. It is only a matter of time until all human ‘jobs’ will be doable by machines. Each one, including being a companion. As of now, the bottleneck is energy and knowledge. I think we will crack fusion, but if we do not, we can still harvest billions of times what we use now from the sun in space. The knowledge is increasing rapidly.