Re: Does anyone know how to sign ova with timestam...

bintian · ‎12-24-2013

I am creating ova file using VMware OVF tool .

And I want to use public Code Signing Certificate like published by Globalsign or Verisign.

But current OVF tool doucment is not introduce how to sign with timestamp.

So, when public cert is expired, just ova file is also expired.

This is problem.

Ex: Using vsphere client call deploying OVF Template, then display signing is expired.

Document

https://www.vmware.com/support/developer/ovf/ovf350/ovftool-350-userguide.pdf

Deploy an OVF Template

http://pubs.vmware.com/vsphere-4-esx-vcenter/index.jsp?topic=/com.vmware.vsphere.vmadmin.doc_41/vsp_...

Will signed code still be valid after the Code Signing Certificate expires?

The digital signature on code will not expire, when a timestamping service is used. A time stamp shows the validity of the certificate at the time the code was signed. Unless you’re adding additional code to your application, a new signature will not need to be applied even if the certificate used to initially sign the code expires. GlobalSign Code Signing Certificates include a time stamp feature.

https://www.globalsign.com/support/faq/objectfaq.php

imacomputa · ‎10-17-2014

Anyone have any info on this? I have the same question. How do you sign an OVF so that it will still correctly validate after the signing cert has expired? It really should not be necessary to re-roll and sign OVFs the same versions of the same images every X years when the cert expires.

DhavalMet · ‎12-18-2014

I am also looking for a solution to this. Was anyone able to achieve this?

michaelurban · ‎03-29-2017

I don't know if anyone else did, but I put in a request for enhancement to the ovftool for signing today. To the best of my knowledge, the ability to use a TSA is not possible with current version of ovftool (4.2).

All

Does anyone know how to sign ova with timestamp?