Skip to main content

Signing a Virtual Appliance (.OVA)

I was working on VirtualBox VMs to publish as virtual appliances (.OVA files). When I was testing the import into VirtualBox, I found that there was a warning message that the appliance is not signed:

 I was able to muddle through a work-around. The workaround involves getting a tool from VMWare (ovftool.exe), which seems a bit strange. It allows the import of the OVA, showing the certificate and marking it as 'safe'. It still has a couple of issues. One is an annoying warning message issued while creating the signed file, for which I was unable to find a cure. The other is that it does not seem to contact a time server to timestamp the file. Presumably that means that when the signing certificate expires, you get warnings again when loading. 

I would still like to know how you are supposed to do it properly according to Oracle. Surely Oracle is not using VMWare's software to sign their Virtual Appliances. 

This is my journey under Windows 10. At the end, I have publishable appliance. 

 - You need a virtual appliance (*.ova)

 - You need a signing certificate.

 - You need to have OpenSSL installed. 

 - You need the program ovftool.exe from VMWare

To get the .ova file, you need to export one of your VMs as a virtual appliance:

Open the export virtual appliance dialog:

File->Export Appliance [Alternatively <CTRL>E]

Choose the virtual machine to export. Fill in whatever Virtual system settings apply (in my case, just the name)

For appliance settings, set the Format to Open Virtualization Format 1.0

The 'Write Manifest file' checkbox should be checked.

Click on the <Export> button to write file.

The signing certificate should have been installed in the certificate store. How this is done depends on your certificate provider. 

To get the signing certificate in a usable form, you have to jump through a few hoops to get a .pem file. 

Open the Certificate Manager:

Run certmgr.msc

Open Personal->Certificates and right-click on your signing certificate

Open the All tasks menu and choose Export

This should open the Certificate Export Wizard

Click <Next>

Choose Yes, export the private key 

Click <Next>

Choose Personal Information Exchange - PKCS (.PFX)

Check include all certificates in the certification path

Check Export all extended properties

Check Enable certificate privacy

Click <Next>

Check the Password checkbox and enter and confirm a password [using "IMPPass" in this example]

Change the Encryption dropdown to AES256-SHA256

Click <Next>

Assign the filename and path for the exported certificate. In this example I called it 'MyCert'. Note that you don't put the file extension on the name here. It is added by the Certificate Export Wizard. You should save it on the path where your OVA file was saved. 

Click <Next>

Review settings and Click <Finish>

It should pop up a message box saying the export was successful. Dismiss that.

The next steps are done on the console, so open a console window. Change to the directory where you have saved your OVA and PFX files. 

You now need to convert the certificate to a form that can be used (.pem). To do this, you need to use OpenSSL. Here is the form of the command:

openssl pkcs12 -in MyCert.pfx -out MyCert.pem

Respond to the prompts for Import Password and PEM pass phrase

    Enter Import Password: IMPPass

    Enter PEM pass phrase: PEMPass

    Verifying - Enter PEM pass phrase: PEMPass

Finally, you can sign the exported OVA with ovftool with a command like this:

ovftool --privateKey=MyCert.pem --shaAlgorithm=SHA1 DamnSmall.ova DSL.ova

Opening OVA source: DamnSmall.ova

Opening OVA target: DSL.ova

Writing OVA package: DSL.ova

Transfer Completed

The manifest validates

Enter passphrase for MyCert.pem: PEMPass

Warning:

 - No supported manifest(sha1, sha256, sha512) entry found for: 'DamnSmall-disk001.vmdk'.Completed successfully

At this point, there should be a signed file called DSL.ova. It will indicate that when imported in VirtualBox.

To test, import the newly created and signed OVA file. Open the import dialog:

File->Import Appliance or alternatively I

Enter the path and name of the signed Virtual Appliance. Click [Next]

The Appliance settings dialog should have text in the bottom left corner indicating that you have signed the appliance, and that it is trusted.

Appliance is signed

Comments

Popular posts from this blog

The system cannot execute the specified program

It always annoys me no end when I get messages like the following: "The system cannot execute the specified program." I got the above error from Windows XP when I tried to execute a program I use all the time. The message is hugely aggravating because it says the obvious without giving any actionable information. If you have such a problem and you are executing from a deep directory structure that may be your problem. It was in my case. Looking on the web with that phrase brought up a bunch of arcane stuff that did not apply to me. It mostly brought up long threads (as these things tend to do) which follow this pattern: 'Q' is the guy with the problem asking for help 'A' can be any number of people who jump in to 'help'. Q: I got this error "The system cannot execute the specified program." when I tried to ... [long list of things tried] A: What program were you running, what operating system, where is the program? What type of

The JWST did not take resources away from the poor.

The JWST project employed many people for a long time. It helped them and their communities. Like other NASA projects, it has funded technology breakthroughs that will pay back the investment. Right now, mathematical physicists are working on a new theory that combines quantum physics and relativity and explains how the two emerge from a common root structure. This will be aided by knowledge of the early universe we get from JWST. A breakthrough there could lead to essentially limitless low-cost energy. It could possibly lead to crazy stuff like anti-gravity and magnetic monopoles. It could extend the periodic table, and allow us to create exotic substances, it could allow us to create room temperature superconductors, and it could conceivably allow us to figure out how to explore the galaxy. Our understanding of electromagnetism since the 19th century has allowed us to do miraculous things that people in earlier centuries would simply think of as pure magic. Reaching for the stars is

Coming Soon: General Artificial Intelligence

The closer you get to experts who understand the nuts and bolts and history of AI, the more you find them saying that what we have is not nearly General Artificial Intelligence (GAI), and that GAI seems far away. I think we already have the roots in place with Neural Networks (NN), Deep Learning (DL), Machine Learning (ML), and primitive domain limited Artificial Intelligence (AI). Things like computer vision, voice recognition, and language translation are already in production. These are tough problems, but in some ways, machines are already better than humans are. I expect GAI to be an emergent property as systems mature, join, and augment one another. I was around during the 70s AI winter, and was involved in the 80s AI winter as one of the naysayers. I built a demonstration system with a Sperry voice recognition card in 1984. I could demonstrate it in a quiet room, but as a practical matter, it was not production ready at all. Around 1988 we built demonstration expert systems usin