VMware vSphere SDKs and Tools 8.0

8.0 7.0 6.7 6.5

Publishing an OVF Package with a Digital Signature

If you are a vendor who has produced a virtual appliance that you want to publish as an OVF appliance for public consumption, you should incorporate a digital signature.
Digital signatures work by proving that a message or document was not modified (intentionally or unintentionally) from the time it was signed. Digital signatures do this by generating a unique hash of the message or document and encrypting it using the sender's private key. For more information, see
Understanding Digital Signatures
 at the cisa.gov website.
OVF Tool helps in distributing virtual appliances by performing all required operations to digitally sign an OVF package. Operation steps include:
  1. Calculate the SHA hashes of each file (OVF file, VMDK files, and so on).
  2. Create a manifest file and store the calculated SHA hashes from the previous step.
  3. Use the vendor's private key to digitally sign the manifest file's content thereby producing a digital signature.
  4. OVF Tool then stores the digital signature from the previous step in the cert file. OVF Tool also stores the vendor's public key in the cert file for client side signature verification.
The steps above can also be done using the
openssl
 tool.
SHA1 is no longer considered secure. SHA256 and above should be used instead. See the
--shaAlgorithm
 command line option.
When a customer receives the vendor's OVF package, they can perform the following steps to verify integrity of the OVF package contents:
  1. Customer uses the public key in the cert file to verify (for example with
    openssl
    ) the signature of the manifest file content in the cert file, checking that the signature matches the manifest file contents.
  2. Customer uses SHA hashes in the (now verified) manifest file to verify (with
    openssl
    ) that the OVF file hash and the VMDK file hash match those in the manifest file. This proves that the files have not been corrupted or tampered with since the vendor published them.
OVF Tool can perform the above steps automatically and does so by default if a
.cert
 file is found in the OVF package.
If option
--requireSignature
 is passed to the OVF Tool command, the
.cert
 and
.mf
 files must exist in the OVF package and they must be valid.
VMware signs their own appliances. OVF Tool and vCenter Server Appliance have an embedded copy of the VMware public key to verify digital signatures of those products.

Content feedback and comments