How to sign ova appliance? - application is not signed.

This is for discussing general topics about how to use VirtualBox.
Post Reply
adrelanos
Posts: 22
Joined: 9. Sep 2018, 09:48

How to sign ova appliance? - application is not signed.

Post by adrelanos »

Says application is not signed. See screenshot below.

Image

I am creating appliances, i.e. ova images and would like to sign them. How to do that?

Related things I found but didn't answer this:
- viewtopic.php?f=8&t=80888
- https://www.virtualbox.org/ticket/15666
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: How to sign ova appliance? - application is not signed.

Post by socratis »

The thread title has two different parts in it: 1) Host to sign an OVA, 2) What you're trying to import is not signed.

For part 2, the thread you referred to has already the answers, no need to repeat them here again.

For part 1, are you asking how to sign an OVA that you export? Because I don't see an Export dialog, I see an Import dialog.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
dry
Posts: 45
Joined: 6. Aug 2019, 14:27
Primary OS: Fedora other
VBox Version: OSE other
Guest OSses: Linux

Re: How to sign ova appliance? - application is not signed.

Post by dry »

I'm also interested in / if

1. Vbox now allows to sign ova (or ovf..) files automatically, without you going through some console external tools such as openssl, etc. and then packaging ova files yourself
2. If Vbox appliance import actually checks ova / ovf provided been signed. (I never seen such, and I've imported few of my own un-signed ova appliances).
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: How to sign ova appliance? - application is not signed.

Post by socratis »

dry wrote:Vbox now allows to sign ova (or ovf..) files automatically, without you going through some console external tools such as openssl, etc. and then packaging ova files yourself
I have not seen a "Sign OVA" tool, and if one is out there, I don't seem to find anything related in the documentation, maybe I'm missing something...
dry wrote:If Vbox appliance import actually checks ova / ovf provided been signed. (I never seen such, and I've imported few of my own un-signed ova appliances).
That is something of a great mystery I guess. We suspect that there are signed OVAs out there, but (like you) I've yet to encounter one.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
dry
Posts: 45
Joined: 6. Aug 2019, 14:27
Primary OS: Fedora other
VBox Version: OSE other
Guest OSses: Linux

Re: How to sign ova appliance? - application is not signed.

Post by dry »

The tool you brought up, is part of VmWare software, and I have used it, but, I found no point for VBox application as it does not / did not check that ovf/ova was signed, in question.
Leaving you to do it externally / manually, which I , find, kinda pointless, to an extent.
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: How to sign ova appliance? - application is not signed.

Post by socratis »

dry,
I think I'm missing something...
dry wrote:The tool you brought up, is part of VmWare software
*I* didn't bring up anything, it was you that said:
dry wrote:Vbox now allows to sign ova (or ovf..) files automatically
And when I said that I haven't seen this capability in VirtualBox, you reply with a VMWare tool!
dry wrote:Leaving you to do it externally / manually, which I , find, kinda pointless, to an extent.
Nah... My interest in encrypting and signing OVAs (or anything else) is purely academical. I've never used it in reality, neither I plan to on my daily workflow...
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
dry
Posts: 45
Joined: 6. Aug 2019, 14:27
Primary OS: Fedora other
VBox Version: OSE other
Guest OSses: Linux

Re: How to sign ova appliance? - application is not signed.

Post by dry »

Ah sorry !
I have not seen a "Sign OVA" tool, a
Somehow I read that as I've seen the tool.. bla I'm tired today. sorry. (There is/was such tool in VmWare, but it's just not of much use using with VBox )
UhostWguest
Posts: 3
Joined: 7. Feb 2019, 17:59

Re: How to sign ova appliance? - application is not signed.

Post by UhostWguest »

dry wrote:The tool you brought up, is part of VmWare software, and I have used it, but, I found no point for VBox application as it does not / did not check that ovf/ova was signed, in question.
Leaving you to do it externally / manually, which I , find, kinda pointless, to an extent.
I think the point would be: for the operator to be sure that the appliance they are about to import is from a trusted source (signed). If they don't care, they bypass the notification and import anyway, but if they expect an appliance to be signed and it isn't then they know that the appliance they were about to deploy is suspect / untrusted.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: How to sign ova appliance? - application is not signed.

Post by mpack »

UhostWguest wrote:then they know that the appliance they were about to deploy is suspect / untrusted.
Or simply - not signed, as would be expected for the vast majority of user exported OVA files I suggest.

Evidently VMWare has added the ability to sign your OVA files, but I have no idea who actually uses that feature unless it was (say) RedHat signing an official release of RHLinux downloaded from their website. I can't see Oracle for example agreeing to use their certificates to sign OVAs just because they were created in VirtualBox. Certainly I know I would get short shrift if I asked Microsoft to sign my executables because they were created in Visual Studio.

And yes, using an external sign tool to sign OVAs is exactly what would expect: it is precisely what I have to do when signing executables.
Post Reply