How to sign ova appliance? - application is not signed.

[adrelanos]

Says application is not signed. See screenshot below.



I am creating appliances, i.e. ova images and would like to sign them. How to do that?

Related things I found but didn't answer this:
- viewtopic.php?f=8&t=80888
- https://www.virtualbox.org/ticket/15666

[socratis]

The thread title has two different parts in it: 1) Host to sign an OVA, 2) What you're trying to import is not signed.

For part 2, the thread you referred to has already the answers, no need to repeat them here again.

For part 1, are you asking how to sign an OVA that you export? Because I don't see an Export dialog, I see an Import dialog.

[dry]

I'm also interested in / if

1. Vbox now allows to sign ova (or ovf..) files automatically, without you going through some console external tools such as openssl, etc. and then packaging ova files yourself
2. If Vbox appliance import actually checks ova / ovf provided been signed. (I never seen such, and I've imported few of my own un-signed ova appliances).

[socratis]

Vbox now allows to sign ova (or ovf..) files automatically, without you going through some console external tools such as openssl, etc. and then packaging ova files yourself

I have not seen a "Sign OVA" tool, and if one is out there, I don't seem to find anything related in the documentation, maybe I'm missing something...

If Vbox appliance import actually checks ova / ovf provided been signed. (I never seen such, and I've imported few of my own un-signed ova appliances).

That is something of a great mystery I guess. We suspect that there are signed OVAs out there, but (like you) I've yet to encounter one.

[dry]

The tool you brought up, is part of VmWare software, and I have used it, but, I found no point for VBox application as it does not / did not check that ovf/ova was signed, in question.
Leaving you to do it externally / manually, which I , find, kinda pointless, to an extent.

[socratis]

dry,
I think I'm missing something...

The tool you brought up, is part of VmWare software

*I* didn't bring up anything, it was you that said:

Vbox now allows to sign ova (or ovf..) files automatically

And when I said that I haven't seen this capability in VirtualBox, you reply with a VMWare tool!

Leaving you to do it externally / manually, which I , find, kinda pointless, to an extent.

Nah... My interest in encrypting and signing OVAs (or anything else) is purely academical. I've never used it in reality, neither I plan to on my daily workflow...

[dry]

Ah sorry !

I have not seen a "Sign OVA" tool, a

Somehow I read that as I've seen the tool.. bla I'm tired today. sorry. (There is/was such tool in VmWare, but it's just not of much use using with VBox )

[UhostWguest]

The tool you brought up, is part of VmWare software, and I have used it, but, I found no point for VBox application as it does not / did not check that ovf/ova was signed, in question.
Leaving you to do it externally / manually, which I , find, kinda pointless, to an extent.

I think the point would be: for the operator to be sure that the appliance they are about to import is from a trusted source (signed). If they don't care, they bypass the notification and import anyway, but if they expect an appliance to be signed and it isn't then they know that the appliance they were about to deploy is suspect / untrusted.

[mpack]

then they know that the appliance they were about to deploy is suspect / untrusted.

Or simply - not signed, as would be expected for the vast majority of user exported OVA files I suggest.

Evidently VMWare has added the ability to sign your OVA files, but I have no idea who actually uses that feature unless it was (say) RedHat signing an official release of RHLinux downloaded from their website. I can't see Oracle for example agreeing to use their certificates to sign OVAs just because they were created in VirtualBox. Certainly I know I would get short shrift if I asked Microsoft to sign my executables because they were created in Visual Studio.

And yes, using an external sign tool to sign OVAs is exactly what would expect: it is precisely what I have to do when signing executables.

[adrelanos]

related VirtualBox bug reports:

* VirtualBox 5.1.0 and 5.1.2 fails to import digitally signed appliance (OVA file)
* Ova/Ovf Signature Verification Issue

VirtualBox bug report written just now:
create appliance signing feature or deprecate the feature (Application is not signed.)