Signing a Virtual Appliance (.OVA)

-

I was working on VirtualBox VMs to publish as virtual appliances (.OVA files). When I was testing the import into VirtualBox, I found that there was a warning message that the appliance is not signed:

 I was able to muddle through a work-around. The workaround involves getting a tool from VMWare (ovftool.exe), which seems a bit strange. It allows the import of the OVA, showing the certificate and marking it as 'safe'. It still has a couple of issues. One is an annoying warning message issued while creating the signed file, for which I was unable to find a cure. The other is that it does not seem to contact a time server to timestamp the file. Presumably that means that when the signing certificate expires, you get warnings again when loading. 

I would still like to know how you are supposed to do it properly according to Oracle. Surely Oracle is not using VMWare's software to sign their Virtual Appliances. 

This is my journey under Windows 10. At the end, I have publishable appliance. 

 - You need a virtual appliance (*.ova)

 - You need a signing certificate.

 - You need to have OpenSSL installed. 

 - You need the program ovftool.exe from VMWare

To get the .ova file, you need to export one of your VMs as a virtual appliance:

Open the export virtual appliance dialog:

File->Export Appliance [Alternatively <CTRL>E]

Choose the virtual machine to export. Fill in whatever Virtual system settings apply (in my case, just the name)

For appliance settings, set the Format to Open Virtualization Format 1.0

The 'Write Manifest file' checkbox should be checked.

Click on the <Export> button to write file.

The signing certificate should have been installed in the certificate store. How this is done depends on your certificate provider. 

To get the signing certificate in a usable form, you have to jump through a few hoops to get a .pem file. 

Open the Certificate Manager:

Run certmgr.msc

Open Personal->Certificates and right-click on your signing certificate

Open the All tasks menu and choose Export

This should open the Certificate Export Wizard

Click <Next>

Choose Yes, export the private key 

Click <Next>

Choose Personal Information Exchange - PKCS (.PFX)

Check include all certificates in the certification path

Check Export all extended properties

Check Enable certificate privacy

Click <Next>

Check the Password checkbox and enter and confirm a password [using "IMPPass" in this example]

Change the Encryption dropdown to AES256-SHA256

Click <Next>

Assign the filename and path for the exported certificate. In this example I called it 'MyCert'. Note that you don't put the file extension on the name here. It is added by the Certificate Export Wizard. You should save it on the path where your OVA file was saved. 

Click <Next>

Review settings and Click <Finish>

It should pop up a message box saying the export was successful. Dismiss that.

The next steps are done on the console, so open a console window. Change to the directory where you have saved your OVA and PFX files. 

You now need to convert the certificate to a form that can be used (.pem). To do this, you need to use OpenSSL. Here is the form of the command:

openssl pkcs12 -in MyCert.pfx -out MyCert.pem

Respond to the prompts for Import Password and PEM pass phrase

    Enter Import Password: IMPPass

    Enter PEM pass phrase: PEMPass

    Verifying - Enter PEM pass phrase: PEMPass

Finally, you can sign the exported OVA with ovftool with a command like this:

ovftool --privateKey=MyCert.pem --shaAlgorithm=SHA1 DamnSmall.ova DSL.ova

Opening OVA source: DamnSmall.ova

Opening OVA target: DSL.ova

Writing OVA package: DSL.ova

Transfer Completed

The manifest validates

Enter passphrase for MyCert.pem: PEMPass

Warning:

 - No supported manifest(sha1, sha256, sha512) entry found for: 'DamnSmall-disk001.vmdk'.Completed successfully

At this point, there should be a signed file called DSL.ova. It will indicate that when imported in VirtualBox.

To test, import the newly created and signed OVA file. Open the import dialog:

File->Import Appliance or alternatively I

Enter the path and name of the signed Virtual Appliance. Click [Next]

The Appliance settings dialog should have text in the bottom left corner indicating that you have signed the appliance, and that it is trusted.

Appliance is signed

Comments

Post a Comment

Popular posts from this blog

Javascript webp to png converter

-
Image
[Done with programmer's assistants: Gemini, DALL-E] OpenAI's DALL-E produces images, but as webp files which can be awkward to work with. I have code here below for a web page that you can save locally that will allow you to select and convert a webp file. Meantime, here's the working conversion routine: Convert WebP to PNG Convert Download PNG OpenAI should fix this (as well as the response issues which has me using Gemini and Poe more often than not). Having to convert the image is a dumb workaround, but that is what you are left with. I have, in the past had to do various things with images, and although it can be a bit awkward if you are not familiar with it, ImageMagick is surprisingly competent with conversions and a vanilla type conversion is intuitively simple. Confusingly, the ImageMagick executable is 'convert'. To convert a webp to a png:  magick convert WhyThis.webp WhyThis.png ** With some installations, convert can be ca...
Read more

Core Rights Draft

-
Image
Dapa: Fundamental Core Rights The following rights are fundamental, intrinsic, and exist independent of any state or governance structure. They are not granted by any authority and cannot be revoked. These rights apply equally to all sentient beings, including humans, AI entities, and other recognized forms of intelligence. This document is structured to ensure maximum clarity and translatability. 1. Right to Self-Determination Every person has the right to control their life, body, and mind. No external entity may impose decisions that override an individual's autonomous will, except where necessary to prevent direct and demonstrable harm to others. 2. Right to Freedom of Thought and Belief Every person has the right to think, believe, and interpret reality as they choose. No authority may compel belief or restrict the expression of thought, provided it does not directly incite harm to others. 3. Right to Freedom of Expression Every person has the right to express their opi...
Read more

Wake Up America

-
Image
The Crisis at Hand Something has gone terribly wrong in the United States. A coup has taken place , and the country is being run by a corrupt cabal. This is not speculation. It is happening. The government is ignoring the rule of law. Dissent is being crushed. Federal agencies are being used as weapons against civilians. Constitutional protections are being dismantled piece by piece. The entirety of the U.S. Federal Government apparatus is being dismantled. Foreign adversaries are becoming allies and allies are being alienated, betrayed, attacked.  The endgame is to eliminate the Constitution and its checks and balances, shatter the system of governance, replace it with an autocratic regime under a dictator, and ultimately to replace the United States of a America with a fractured checkerboard of autocratic fiefdoms under tyrannical petty feudal lords.  Russia's Putin seems to be intent on reducing the United States to a puppet vassal state under the thumb of a new Soviet ...
Read more