Publishing an OVF Package with a Digital
Signature
If
you are a vendor who has produced a virtual appliance that you want to publish as an OVF
appliance for public consumption, you should incorporate a digital signature.
Digital signatures work by proving that a message or
document was not modified (intentionally or unintentionally) from the time it was
signed. Digital signatures do this by generating a unique hash of the message or
document and encrypting it using the sender's private key. For more information, see
Understanding Digital
Signatures
at the cisa.gov website.OVF Tool helps in distributing virtual
appliances by performing all required operations to digitally sign an OVF package.
Operation steps include:
- Calculate the SHA hashes of each file (OVF file, VMDK files, and so on).
- Create a manifest file and store the calculated SHA hashes from the previous step.
- Use the vendor's private key to digitally sign the manifest file's content thereby producing a digital signature.
- OVF Tool then stores the digital signature from the previous step in the cert file. OVF Tool also stores the vendor's public key in the cert file for client side signature verification.
The steps above can also be done using the
openssl
tool.SHA1 is no longer considered
secure. SHA256 and above should be used instead. See the
--shaAlgorithm
command line option.When a customer receives the vendor's OVF
package, they can perform the following steps to verify integrity of the OVF package
contents:
- Customer uses the public key in the cert file to verify (for example withopenssl) the signature of the manifest file content in the cert file, checking that the signature matches the manifest file contents.
- Customer uses SHA hashes in the (now verified) manifest file to verify (withopenssl) that the OVF file hash and the VMDK file hash match those in the manifest file. This proves that the files have not been corrupted or tampered with since the vendor published them.
OVF Tool can perform the above steps
automatically and does so by default if a
.cert
file is found in the
OVF package.If option
--requireSignature
is passed to the OVF Tool command, the
.cert
and .mf
files must exist in the
OVF package and they must be valid.VMware signs their own appliances. OVF Tool
and vCenter Server Appliance have an embedded copy of the VMware public key to verify
digital signatures of those products.