Sign Virtual Machines (OVA)

Signum can be used to sign OVA files with the OVF Tool from VMWare, which enables the signing of virtual machines.

What is an OVA file?

Open Virtualization Application (OVA) is single, compressed archive (a .tar file) that allows for packaging and distributing to a virtual machine (VM).

Prerequisites

Signum Linux Agent or macOS Agent
OVF Tool
OpenSSL
Tar (This guide uses Tar, but other tools for managing archive files should suffice.)

Prepare OVA File

Copy the OVA file into the machine that will do the signing.
Unzip the OVA file using the following command, replacing the VirtualMachine.ova name with your .ova file :
```
tar xvf VirtualMachine.ova
```

Since the .ova file is a .tar archive, this command unpacks the files of the archive. You can now see files with endings .ovf, .vmdk and .mf, such as VirtualMachine.ovf, VirtualMachine-disk001.vmdk, and VirtualMachine.mf.

Create Signature

The .mf file from the OVA is the manifest of the VM. This file contains the digest of the VM disk (.vmdk) and the metadata (.ovf). By signing the manifest, this proves that these files have not been changed.

Sign the .mf file using the openssl dgst command. If more than one certificate is available to the user, choose the certificate to use:

Run the following command to list the available tokens using the p11tool, which is part of the package gnutls-bin:
```
p11tool --login --list-all "$pkcs11Token" 
```

In the output, find the URL for the token, with Type: Private key, to be used for signing and from the certificate to validate the signature:

Object 0:
        URL: pkcs11:model=Linux;manufacturer=Keyfactor;serial=1;token=Signum%20for%20Linux%00;id=%33%2D%B3%5F%9C%6A%34%D7%80%4D%47%20%8B%E8%BC%0F%02%30%77%A8;object=332DB35F9C6A34D7804D47208BE8BC0F023077A8%20-%20Certificate;type=cert
        Type: X.509 Certificate
        Label: 332DB35F9C6A34D7804D47208BE8BC0F023077A8 - Certificate
        Flags: CKA_PRIVATE; CKA_TRUSTED; 
        ID: 33:2d:b3:5f:9c:6a:34:d7:80:4d:47:20:8b:e8:bc:0f:02:30:77:a8

Object 1:
        URL: pkcs11:model=Linux;manufacturer=Keyfactor;serial=1;token=Signum%20for%20Linux%00;id=%33%2D%B3%5F%9C%6A%34%D7%80%4D%47%20%8B%E8%BC%0F%02%30%77%A8;object=332DB35F9C6A34D7804D47208BE8BC0F023077A8%20-%20Public%20key;type=public
        Type: Public key (RSA-4096)
        Label: 332DB35F9C6A34D7804D47208BE8BC0F023077A8 - Public key
        Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_TRUSTED; 
        ID: 33:2d:b3:5f:9c:6a:34:d7:80:4d:47:20:8b:e8:bc:0f:02:30:77:a8

Object 2:
        URL: pkcs11:model=Linux;manufacturer=Keyfactor;serial=1;token=Signum%20for%20Linux%00;id=%33%2D%B3%5F%9C%6A%34%D7%80%4D%47%20%8B%E8%BC%0F%02%30%77%A8;object=332DB35F9C6A34D7804D47208BE8BC0F023077A8%20-%20Private%20key;type=private
        Type: Private key (RSA-4096)
        Label: 332DB35F9C6A34D7804D47208BE8BC0F023077A8 - Private key
        Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_TRUSTED; CKA_EXTRACTABLE; CKA_SENSITIVE; 
        ID: 33:2d:b3:5f:9c:6a:34:d7:80:4d:47:20:8b:e8:bc:0f:02:30:77:a8

Put the private key URL into the variable pkcs11PrivateKeyURL:

pkcs11PrivateKeyURL="pkcs11:model=Linux;manufacturer=Keyfactor;serial=1;token=Signum%20for%20Linux%00;id=%33%2D%B3%5F%9C%6A%34%D7%80%4D%47%20%8B%E8%BC%0F%02%30%77%A8;object=332DB35F9C6A34D7804D47208BE8BC0F023077A8%20-%20Private%20key;type=private"

To sign with the specific certificate, run the following command, using the variable:

 openssl dgst -keyform engine \
 -engine pkcs11 \
 -sha256 \
 -hex \
 -sign "$pkcs11PrivateKeyURL" \
 -out VirtualMachine.dgst VirtualMachine.mf

This command calculates the digest of the file and then generates the signature inside VirtualMachine.dgst.

Open the .dgst file in your editor of choice.
Edit the digest to start with SHA256(<filename>)=<hex>. This change ensures the digest is in the format the OVF tool expects, since the format produced by openssl when creating the signature may differ.

For example, the current digest:

 RSA-SHA2-256(VirtualMachine.mf)= 94ef5c23d6be74caa...

Change the name to:

SHA256(VirtualMachine.mf)=94ef5c23d6be74caa...

Make sure to remove any whitespace between the = and the hex.

Concatenate the digest and the certificate using the following command:
```
cat VirtualMachine.dgst certificate.crt > VirtualMachine.cert
```

Verify Signature

Use the following command to verify the signature:

ovftool VirtualMachine.ovf

You should get an output reading “Source is signed”, followed by additional information on the signature.

Repackage OVA File

Use following command to repackage all the files and recreate the .ova archive:

tar cvf signedVirtualMachine.ova --format=ustar *.ovf *.vmdk *.mf *.cert

Replace the signedVirtualMachine.ova in the example with your chosen .ova filename.