Index: /trunk/doc/manual/en_US/man_VBoxManage-signova.xml
===================================================================
--- /trunk/doc/manual/en_US/man_VBoxManage-signova.xml	(revision 84211)
+++ /trunk/doc/manual/en_US/man_VBoxManage-signova.xml	(revision 84212)
@@ -46,4 +46,5 @@
         <arg choice="plain">--private-key-password=<replaceable>password</replaceable></arg>
       </group>
+      <arg>--digest-type=<replaceable>type</replaceable></arg>
       <group>
         <arg choice="plain">--pkcs7</arg>
@@ -91,4 +92,9 @@
       </varlistentry>
       <varlistentry>
+        <term><option>--digest-type=<replaceable>type</replaceable></option></term>
+        <listitem><para>Select the cryptographic digest algorithm to use in the
+          signing. Possible values: SHA-256 (default), SHA-512 and SHA-1.</para></listitem>
+      </varlistentry>
+      <varlistentry>
         <term><option>--pkcs7</option>, <option>--no-pkcs7</option></term>
         <listitem><para>Enables or disables (default) the creation of an additional
Index: /trunk/src/VBox/Frontends/VBoxManage/VBoxManageAppliance.cpp
===================================================================
--- /trunk/src/VBox/Frontends/VBoxManage/VBoxManageAppliance.cpp	(revision 84211)
+++ /trunk/src/VBox/Frontends/VBoxManage/VBoxManageAppliance.cpp	(revision 84212)
@@ -1999,5 +1999,5 @@
  * Performs the OVA signing, producing an in-memory cert-file.
  */
-static int doTheOvaSigning(PRTCRX509CERTIFICATE pCertificate, RTCRKEY hPrivateKey,
+static int doTheOvaSigning(PRTCRX509CERTIFICATE pCertificate, RTCRKEY hPrivateKey, RTDIGESTTYPE enmDigestType,
                            const char *pszManifestName, RTVFSFILE hVfsFileManifest,
                            bool fPkcs7, unsigned cIntermediateCerts, const char **papszIntermediateCerts,
@@ -2005,16 +2005,15 @@
 {
     /*
-     * We currently hardcode the digest algorithm to SHA-256.
+     * Instantiate the digest algorithm.
      */
-    /** @todo fall back on SHA-1 if the key is too small for SHA-256. */
+    /** @todo fall back on SHA-1 if the key is too small for SHA-256 or SHA-512? */
     PCRTASN1OBJID const pObjId  = &pCertificate->TbsCertificate.SubjectPublicKeyInfo.Algorithm.Algorithm;
     RTCRDIGEST          hDigest = NIL_RTCRDIGEST;
-    int rc = RTCrDigestCreateByType(&hDigest, RTDIGESTTYPE_SHA256);
+    int rc = RTCrDigestCreateByType(&hDigest, enmDigestType);
     if (RT_FAILURE(rc))
         return RTMsgErrorRc(rc, "Failed to create digest for %s: %Rrc", pObjId->szObjId, rc);
 
     /* Figure out the digest type name for the .cert file: */
-    RTDIGESTTYPE const enmDigestType = RTCrDigestGetType(hDigest);
-    const char        *pszDigestType;
+    const char *pszDigestType;
     switch (enmDigestType)
     {
@@ -2135,4 +2134,5 @@
         { "--private-key-password",     'p', RTGETOPT_REQ_STRING },
         { "--private-key-password-file",'P', RTGETOPT_REQ_STRING },
+        { "--digest-type",              'd', RTGETOPT_REQ_STRING },
         { "--pkcs7",                    '7', RTGETOPT_REQ_NOTHING },
         { "--no-pkcs7",                 'n', RTGETOPT_REQ_NOTHING },
@@ -2148,15 +2148,15 @@
     AssertRCReturn(rc, RTEXITCODE_FAILURE);
 
-    const char *pszOva              = NULL;
-    const char *pszCertificate      = NULL;
-    const char *pszPrivateKey       = NULL;
-    Utf8Str     strPrivateKeyPassword;
-    bool        fPkcs7              = false;
-    unsigned    cIntermediateCerts  = 0;
-    const char *apszIntermediateCerts[32];
-    bool        fReSign             = false;
-    unsigned    iVerbosity          = 1;
-
-    bool        fDryRun             = false;
+    const char     *pszOva              = NULL;
+    const char     *pszCertificate      = NULL;
+    const char     *pszPrivateKey       = NULL;
+    Utf8Str         strPrivateKeyPassword;
+    RTDIGESTTYPE    enmDigestType       = RTDIGESTTYPE_SHA256;
+    bool            fPkcs7              = false;
+    unsigned        cIntermediateCerts  = 0;
+    const char     *apszIntermediateCerts[32];
+    bool            fReSign             = false;
+    unsigned        iVerbosity          = 1;
+    bool            fDryRun             = false;
 
     int c;
@@ -2189,4 +2189,18 @@
                 return rcExit;
             }
+
+            case 'd':
+                if (   RTStrICmp(ValueUnion.psz, "sha1") == 0
+                    || RTStrICmp(ValueUnion.psz, "sha-1") == 0)
+                    enmDigestType = RTDIGESTTYPE_SHA1;
+                else if (   RTStrICmp(ValueUnion.psz, "sha256") == 0
+                         || RTStrICmp(ValueUnion.psz, "sha-256") == 0)
+                    enmDigestType = RTDIGESTTYPE_SHA256;
+                else if (   RTStrICmp(ValueUnion.psz, "sha512") == 0
+                         || RTStrICmp(ValueUnion.psz, "sha-512") == 0)
+                    enmDigestType = RTDIGESTTYPE_SHA512;
+                else
+                    return RTMsgErrorExitFailure("Unknown digest type: %s", ValueUnion.psz);
+                break;
 
             case '7':
@@ -2282,7 +2296,6 @@
              */
             RTVFSFILE hVfsFileSignature = NIL_RTVFSFILE;
-            rc = doTheOvaSigning(&Certificate, hPrivateKey, strManifestName.c_str(), hVfsFileManifest,
-                                 fPkcs7, cIntermediateCerts, apszIntermediateCerts,
-                                 &ErrInfo, &hVfsFileSignature);
+            rc = doTheOvaSigning(&Certificate, hPrivateKey, enmDigestType, strManifestName.c_str(), hVfsFileManifest,
+                                 fPkcs7, cIntermediateCerts, apszIntermediateCerts, &ErrInfo, &hVfsFileSignature);
 
             /*