How to sign an ova file?

Question

I am trying to sign an ova file by following this link. I also generated the manifest file but I don't see any information in the signed file. Here is the command I am using:

  openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:1024 -keyout myself.pem -out myself.pem
  openssl sha1 *.ova > myself.mf
  ovftool --privateKey=myself.pem sample.ova sample-signed.ova

When I run ovftool sample-signed.ova it has no manifest information. I tried unzipping the ova file and did exactly the same with ovf file but it didn't help either.

ovftool --version
VMware ovftool 4.1.0 (build-2459827)

Answer 1

OVA is a tar archive of

• OVF (XML) file,
• related resource files (e.g. disk VMDKs),
• and that MF file containing hashes of files on the list above,
• etc...? (e.g. CERT signature).

Signing process adds a CERT file (containing generated signature of the MF file, and the certificate). I'm note sure for now whether ovftool can operate on OVF or MF file itself. However, when running on the whole OVA archive, it also creates the MF file, if missing (in this case, shows warning: No manifest file found), into the new signed OVA (that's for ovftool-4.5.0-20459872).

Answer 2

The manifest should contain hashes of the files inside the OVA archive, filename of the manifest should be the same as the name of .ovf file, in this case assumed myself.ovf, then generate it by

openssl sha1 *.ovf *.vmdk > myself.mf

Additionaly, if running on Windows, convert the manifest file to UTF-8 encoding, as default UTF-16 isn't recognized by ovftool.

With that, you can sign the .ovf file and package it to a .ova by:

ovftool --privateKey=myself.pem myself.ovf sample-signed.ova