2

I am trying to sign an ova file by following this link. I also generated the manifest file but I don't see any information in the signed file. Here is the command I am using:

  openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:1024 -keyout myself.pem -out myself.pem
  openssl sha1 *.ova > myself.mf
  ovftool --privateKey=myself.pem sample.ova sample-signed.ova

When I run ovftool sample-signed.ova it has no manifest information. I tried unzipping the ova file and did exactly the same with ovf file but it didn't help either.

ovftool --version
VMware ovftool 4.1.0 (build-2459827)
user_dev
  • 1,357
  • 3
  • 20
  • 46
  • Your last, ovftool command seems right. (Hashing ova file(s?) above does not make sense though.) Maybe that is a problem with that particular ovftool version? Or with the ova file itself? Maybe my answer below will help you somehow. – mykhal Feb 15 '23 at 14:28

1 Answers1

0

OVA is a tar archive of

  • OVF (XML) file,
  • related resource files (e.g. disk VMDKs),
  • and that MF file containing hashes of files on the list above,
  • etc...? (e.g. CERT signature).

Signing process adds a CERT file (containing generated signature of the MF file, and the certificate). I'm note sure for now whether ovftool can operate on OVF or MF file itself. However, when running on the whole OVA archive, it also creates the MF file, if missing (in this case, shows warning: No manifest file found), into the new signed OVA (that's for ovftool-4.5.0-20459872).

mykhal
  • 19,175
  • 11
  • 72
  • 80