Skip to main content
Skip table of contents

Sign Virtual Machines (OVA) with OVF Tool

Signum can be used to sign OVA files with the OVF Tool from VMWare, which enables the signing of virtual machines.

What is an OVA file?

Open Virtualization Application (OVA) is single, compressed archive (a .tar file) that allows for packaging and distributing to a virtual machine (VM).

Prerequisites

Prepare OVA File

  1. Copy the OVA file into the machine that will do the signing.

  2. Unzip the OVA file using the following command, replacing the VirtualMachine.ova name with your .ova file :

    CODE 
    tar xvf VirtualMachine.ova

Since the .ova file is a .tar archive, this command unpacks the files of the archive. You can now see files with endings .ovf, .vmdk and .mf, such as VirtualMachine.ovf, VirtualMachine-disk001.vmdk, and VirtualMachine.mf.

Create Signature

The .mf file from the OVA is the manifest of the VM. This file contains the digest of the VM disk (.vmdk) and the metadata (.ovf). By signing the manifest, this proves that these files have not been changed.

Selecting a specific private key is not supported. The signing service automatically uses the first available key associated with the signed‑in user. To guarantee that a particular certificate is used, ensure that only one certificate is present.

  1. Execute the following command:

    CODE 
     openssl dgst -keyform engine \
 -engine pkcs11 \
 -sha256 \
 -hex \
 -sign "pkcs11:model=Linux;manufacturer=Keyfactor;serial=1;token=Keyfactor for Linux;" \
 -out VirtualMachine.dgst VirtualMachine.mf

This command calculates the digest of the file and then generates the signature inside VirtualMachine.dgst.

  1. Open the .dgst file in your editor of choice.

  2. Edit the digest to start with SHA256(<filename>)=<hex>. This change ensures the digest is in the format the OVF tool expects, since the format produced by openssl when creating the signature may differ.

For example, the current digest:

CODE 
 RSA-SHA2-256(VirtualMachine.mf)= 94ef5c23d6be74caa...

Change the name to:

CODE 
SHA256(VirtualMachine.mf)=94ef5c23d6be74caa...

Make sure to remove any whitespace between the = and the hex.

  1. Concatenate the digest and the certificate using the following command:

    CODE 
    cat VirtualMachine.dgst certificate.crt > VirtualMachine.cert

Verify Signature

Use the following command to verify the signature:

CODE 
ovftool VirtualMachine.ovf

You should get an output reading “Source is signed”, followed by additional information on the signature.

Repackage OVA File

Use following command to repackage all the files and recreate the .ova archive:

CODE 
tar cvf signedVirtualMachine.ova --format=ustar *.ovf *.vmdk *.mf *.cert

Replace the signedVirtualMachine.ova in the example with your chosen .ova filename.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close