Index: /trunk/doc/manual/en_US/man_VBoxManage-signova.xml
===================================================================
--- /trunk/doc/manual/en_US/man_VBoxManage-signova.xml (revision 84263)
+++ /trunk/doc/manual/en_US/man_VBoxManage-signova.xml (revision 84264)
@@ -93,18 +93,23 @@
- Select the cryptographic digest algorithm to use in the
- signing. Possible values: SHA-256 (default), SHA-512 and SHA-1.
+
+ Select the cryptographic digest algorithm to use in the
+ signing. Possible values: SHA-256 (default), SHA-512 and SHA-1.
+ Some older versions of OVFTool and other VMware produces may
+ require to accept the OVA.
+
,
- Enables or disables (default) the creation of an additional
- PKCS#7 signature.
+ Enables or disables the creation of an additional
+ PKCS#7/CMS signature. This is enabled by default.
File containing an intermediary certificate that should be
- included in the optional PKCS#7 signature. Like the others, the file can
+ included in the optional PKCS#7/CMS signature. Like the others, the file can
either be in PEM or DER format. This option can be repeated to add
- multiple intermediate certificates.
+ multiple intermediate certificates. This option implies the
+ option.
@@ -113,15 +118,13 @@
behaviour is to fail if the OVA is already signed.
-
+
+
+ Do not actually modify the OVA, just test-run the signing operation.
+
, , ,
Controls the verbositity of the command execution. The
- can be used multiple times to get more output.
+ option can be used multiple times to get more output.
-
-
-
- ,
- Debugging options that could be removed at any time.
Index: /trunk/src/VBox/Frontends/VBoxManage/VBoxManageAppliance.cpp
===================================================================
--- /trunk/src/VBox/Frontends/VBoxManage/VBoxManageAppliance.cpp (revision 84263)
+++ /trunk/src/VBox/Frontends/VBoxManage/VBoxManageAppliance.cpp (revision 84264)
@@ -1841,5 +1841,5 @@
if (iVerbosity >= 2)
RTMsgInfo("Scanning OVA '%s' for a manifest and signature...", pszOva);
- enum { kScanning, kSeenManifest, kSeenSignature } enmState = kScanning;
+ char *pszSignatureName = NULL;
for (;;)
{
@@ -1871,11 +1871,12 @@
&& (enmType == RTVFSOBJTYPE_IO_STREAM || enmType == RTVFSOBJTYPE_FILE))
{
- if ( enmState >= kSeenManifest
- || *phVfsManifest != NIL_RTVFSFILE /* paranoia */)
+ if (*phVfsManifest != NIL_RTVFSFILE)
rc = RTMsgErrorRc(VERR_DUPLICATE, "OVA contains multiple manifests! first: %s second: %s",
pStrManifestName->c_str(), pszName);
+ else if (pszSignatureName)
+ rc = RTMsgErrorRc(VERR_WRONG_ORDER, "Unsupported OVA file ordering! Signature file ('%s') as succeeded by '%s'.",
+ pszSignatureName, pszName);
else
{
- enmState = kSeenManifest;
if (iVerbosity >= 2)
RTMsgInfo("Found manifest file: %s", pszName);
@@ -1898,18 +1899,19 @@
&& (enmType == RTVFSOBJTYPE_IO_STREAM || enmType == RTVFSOBJTYPE_FILE))
{
- if ( enmState >= kSeenSignature
- || *phVfsOldSignature != NIL_RTVFSOBJ /* paranoia */)
+ if (*phVfsOldSignature != NIL_RTVFSOBJ)
rc = RTMsgErrorRc(VERR_WRONG_ORDER, "Multiple signature files! (%s)", pszName);
else
{
- enmState = kSeenSignature;
if (iVerbosity >= 2)
RTMsgInfo("Found existing signature file: %s", pszName);
+ pszSignatureName = pszName;
*phVfsOldSignature = hVfsObj;
+ pszName = NULL;
hVfsObj = NIL_RTVFSOBJ;
}
}
- else if (enmState >= kSeenManifest)
- rc = RTMsgErrorRc(VERR_WRONG_ORDER, "Invalid OVA file ordering! (%s)", pszName);
+ else if (pszSignatureName)
+ rc = RTMsgErrorRc(VERR_WRONG_ORDER, "Unsupported OVA file ordering! Signature file ('%s') as succeeded by '%s'.",
+ pszSignatureName, pszName);
/*
@@ -1929,6 +1931,8 @@
else if (RT_SUCCESS(rc) && *phVfsOldSignature != NIL_RTVFSOBJ && !fReSign)
rc = RTMsgErrorRc(VERR_ALREADY_EXISTS,
- "The OVA is already signed! (Use the --force option to force re-signing it.)");
-
+ "The OVA is already signed ('%s')! (Use the --force option to force re-signing it.)",
+ pszSignatureName);
+
+ RTStrFree(pszSignatureName);
return rc;
}
@@ -1943,7 +1947,10 @@
* following the .cert file in that case.
*/
-static int updateTheOvaSignature(RTVFSFSSTREAM hVfsFssOva, const char *pszOva,
- const char *pszSignatureName, RTVFSFILE hVfsFileSignature, RTVFSOBJ hVfsOldSignature)
+static int updateTheOvaSignature(RTVFSFSSTREAM hVfsFssOva, const char *pszOva, const char *pszSignatureName,
+ RTVFSFILE hVfsFileSignature, RTVFSOBJ hVfsOldSignature, unsigned iVerbosity)
{
+ if (iVerbosity > 1)
+ RTMsgInfo("Writing '%s' to the OVA...", pszSignatureName);
+
/*
* Truncate the file at the old signature, if present.
@@ -2129,5 +2136,6 @@
{
if (iVerbosity > 1)
- RTMsgInfo("Created PKCS#7/CMS signature: %zu bytes.", cbResult);
+ RTMsgInfo("Created PKCS#7/CMS signature: %zu bytes, %s.",
+ cbResult, RTCrDigestTypeToName(enmDigestType));
/*
@@ -2176,4 +2184,5 @@
}
+ /** @todo Use SHA-3 instead, better diversity. @bugref{9734} */
RTDIGESTTYPE enmPkcs7DigestType;
if ( enmDigestType == RTDIGESTTYPE_SHA1
@@ -2244,4 +2253,7 @@
if (RT_SUCCESS(rc))
{
+ if (iVerbosity > 1)
+ RTMsgInfo("Created OVA signature: %zu bytes, %s", cbSignature, RTCrDigestTypeToName(enmDigestType));
+
/*
* Verify the signature using the certificate to make sure we've
@@ -2253,6 +2265,6 @@
if (RT_SUCCESS(rc))
{
- if (iVerbosity > 0)
- RTMsgInfo("Created OVA signature: %zu bytes, %s", cbSignature, RTCrDigestTypeToName(enmDigestType));
+ if (iVerbosity > 2)
+ RTMsgInfo(" Successfully decoded and verified the OVA signature.\n");
/*
@@ -2331,5 +2343,7 @@
{ "--digest-type", 'd', RTGETOPT_REQ_STRING },
{ "--pkcs7", '7', RTGETOPT_REQ_NOTHING },
+ { "--cms", '7', RTGETOPT_REQ_NOTHING },
{ "--no-pkcs7", 'n', RTGETOPT_REQ_NOTHING },
+ { "--no-cms", 'n', RTGETOPT_REQ_NOTHING },
{ "--intermediate-cert-file", 'i', RTGETOPT_REQ_STRING },
{ "--force", 'f', RTGETOPT_REQ_NOTHING },
@@ -2348,5 +2362,5 @@
Utf8Str strPrivateKeyPassword;
RTDIGESTTYPE enmDigestType = RTDIGESTTYPE_UNKNOWN;
- bool fPkcs7 = false;
+ bool fPkcs7 = true;
unsigned cIntermediateCerts = 0;
const char *apszIntermediateCerts[32];
@@ -2412,4 +2426,5 @@
RT_ELEMENTS(apszIntermediateCerts));
apszIntermediateCerts[cIntermediateCerts++] = ValueUnion.psz;
+ fPkcs7 = true;
break;
@@ -2508,5 +2523,8 @@
* Update the OVA.
*/
- rc = updateTheOvaSignature(hVfsFssOva, pszOva, strSignatureName.c_str(), hVfsFileSignature, hVfsOldSignature);
+ rc = updateTheOvaSignature(hVfsFssOva, pszOva, strSignatureName.c_str(),
+ hVfsFileSignature, hVfsOldSignature, iVerbosity);
+ if (RT_SUCCESS(rc) && iVerbosity > 0)
+ RTMsgInfo("Successfully signed '%s'.", pszOva);
}
}