VirtualBox 5.1.0 and 5.1.2 fails to import digitally signed appliance (OVA file)

[koso]

When attempting to import appliance from ova file, VBoxMAnage.exe fails with:

C:\Users\...\Downloads>"C:\Program Files\VirtualBox\VBoxManage.exe" import <path to OVA file>
0%...
Progress state: E_FAIL
VBoxManage.exe: error: Appliance read failed
VBoxManage.exe: error: Certificate path validation failed (VERR_CR_PKIX_SIGNATURE_MISMATCH, EVP_VerifyFinal failed)
VBoxManage.exe: error: Details: code E_FAIL (0x80004005), component ApplianceWrap, interface IAppliance
VBoxManage.exe: error: Context: "enum RTEXITCODE __cdecl handleImportAppliance(struct HandlerArg *)" at line 307 of file VBoxManageAppliance.cpp

Import from GUI ends with error dialog:

Failed to import appliance <path to OVA file>.

Certificate path validation failed (VERR_CR_PKIX_SIGNATURE_MISMATCH, EVP_VerifyFinal failed).

Result Code: E_FAIL (0x80004005)
Component: ApplianceWrap
Interface: IAppliance {8398f026-4add-4474-5bc3-2f9f2140b23e}

There is no relevant information in logs except:

00:40:08.764715 ApplRead ERROR [COM]: aRC=E_FAIL (0x80004005) aIID={8398f026-4add-4474-5bc3-2f9f2140b23e} aComponent={ApplianceWrap} aText={Certificate path validation failed (VERR_CR_PKIX_SIGNATURE_MISMATCH, EVP_VerifyFinal failed)}, preserve=false aResultDetail=0

I have seen the same behavior on Windows 7 x64 and Windows 10 x64. On another Windows 7 appliance import finished with information popup stating that certificate cannot be verified.

The same OVA file can be successfully imported using VirtualBox 5.0.X and software of other vendors.

Content of "*.mf":

SHA1(ERA_Appliance-disk1.vmdk)= 44f1d187daa9f6ed129381eec155ece99530bfee

and content of "*.cert":

SHA1(ERA_Appliance.mf)= 7334b00ada502ae4420c9c01ba5c6baf1809e0539a0ca74da780d00b38c89c8fedc6be81f8d8e2e4626a7e0d1e5c19dae2beaded0abde864584b4b1a8dc80294a42e92960ee40a0065a5dfb06a088b8435690475c14a828256b2137c433f868b0bb284c343e84c55c0bc609ea1269f773cbd24269e98b89a2d98332a0aad49d147f3246d47183ee9bf916a4a0b3a774afa49aa885953e1c4535199c86ac59579d07f02a34a68c466becf471cec3d3de7c46fc859740e3cb7dbc7cf8ece6afecbe2baa4072dbe8e7692e58e8a596f2a76499f7c886ab45281608c22e7e4be47da67800eba89627365febeb40bed86c01b3c1706fffc5685bda2d840c3f1c64169
-----BEGIN CERTIFICATE-----
MIIFTjCCBDagAwIBAgIQHeEN7VQdUec7xIb0kkmINjANBgkqhkiG9w0BAQUFADCB
tDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMl
VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xNjA0MTkw
MDAwMDBaFw0xOTA3MTkyMzU5NTlaMIGvMQswCQYDVQQGEwJTSzERMA8GA1UECBMI
U2xvdmFraWExEzARBgNVBAcTCkJyYXRpc2xhdmExGzAZBgNVBAoUEkVTRVQsIHNw
b2wuIHMgci5vLjE+MDwGA1UECxQ1RGlnaXRhbCBJRCBDbGFzcyAzIC0gTWljcm9z
b2Z0IFNvZnR3YXJlIFZhbGlkYXRpb24gdjIxGzAZBgNVBAMUEkVTRVQsIHNwb2wu
IHMgci5vLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKW9l/iFn1Y/
BJouXaVLHs6+TlhWgZztdjUWtyuF6FHJaHk8eaU3UbtZJuKzINeg+VLdVCk1O8RN
w2P1XRoDecxb5W2m7rX4sUrBHvYY62G6KDYHxzWYqfCLNkgC8R5gpkKtYHROwg4W
HP0h+OnRBv0ojYoP8q/lNma1pTcABOQVmYVm8Rg7/NaAmqAAquk0n03Y2+y5rfh2
G2FM3xlLzjBocephZeS30ZxkUhm12TnTf9P+0ZB7j0f8V7N9ecZy8NeUaTSWmjkW
czxbwjphePpK9A4xAaca5uoNrvQV4SarnAM1iVJb+zyA/qMRhR78giyfOVQjDGoX
Q2U0XovY/HECAwEAAaOCAV0wggFZMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeA
MCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9zZi5zeW1jYi5jb20vc2YuY3JsMGEG
A1UdIARaMFgwVgYGZ4EMAQQBMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1j
Yi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBh
MBMGA1UdJQQMMAoGCCsGAQUFBwMDMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcw
AYYTaHR0cDovL3NmLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3NmLnN5
bWNiLmNvbS9zZi5jcnQwHwYDVR0jBBgwFoAUz5mp6nsm9EvJjo/X8AUm7+PSp50w
HQYDVR0OBBYEFIKSJNBoZdrPFMTF6cPzFNk4c63aMA0GCSqGSIb3DQEBBQUAA4IB
AQDzz/hCjjc1kc15nqKjnFy/oiRPDhQpM+C5/bputO8q0AE0uUv17DcGuPQgbQsG
7gfDr4x2suxJfxasRBU2OKKWZfpUfuALqIC5oHviD/8UPU3gk8m+LiwgYr13i5sN
ujbBeUaa4WfzrQo+7+GvdfKPw/NpHnmrDSSRadM0AckpyhrLRqMkgVjvIz7t00Yd
AQoBhFvQTaOk/I8iIQqsQcK0qyVbdOJFnO7Wu16XNeSb0TxqFzXCsGoI0qDUCatm
1uDWPzIKL7omFDrKNxxGZhCoJAV4btgZE1Ys6NFWazUa43//lGl11f6pncXv7BQf
sIlwnYi5uqq1MvtD1mV57wWh
-----END CERTIFICATE-----

[VVP]

koso, is it still actual? would you provide your OVA package for testing? next, did this error happened only with a certain package or with other packages too? did you create OVA package by yourself or got it from somewhere? please, just for memory, put here the contents of the OVF package using tar -tvf <OVF package name> to get the list of files.

Now it's obvious that certificate validation failed somewhere with the error "Certificate path validation failed". The certificate validation\verification has very diverse and complex logic. And to say something based only on the couple lines of output is impossible.

[VVP]

Would you execute next command: "openssl verify testing.crt". And put the output here. Where i named "testing.crt" a file contains the part of your ".cert" file following after the line SHA1(ERA_Appliance.mf).
So the file will contain:

-----BEGIN CERTIFICATE-----
MIIFTjCCBDagAwIBAgIQHeEN7VQdUec7xIb0kkmINjANBgkqhkiG9w0BAQUFADCB
tDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMl
VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xNjA0MTkw
MDAwMDBaFw0xOTA3MTkyMzU5NTlaMIGvMQswCQYDVQQGEwJTSzERMA8GA1UECBMI
U2xvdmFraWExEzARBgNVBAcTCkJyYXRpc2xhdmExGzAZBgNVBAoUEkVTRVQsIHNw
b2wuIHMgci5vLjE+MDwGA1UECxQ1RGlnaXRhbCBJRCBDbGFzcyAzIC0gTWljcm9z
b2Z0IFNvZnR3YXJlIFZhbGlkYXRpb24gdjIxGzAZBgNVBAMUEkVTRVQsIHNwb2wu
IHMgci5vLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKW9l/iFn1Y/
BJouXaVLHs6+TlhWgZztdjUWtyuF6FHJaHk8eaU3UbtZJuKzINeg+VLdVCk1O8RN
w2P1XRoDecxb5W2m7rX4sUrBHvYY62G6KDYHxzWYqfCLNkgC8R5gpkKtYHROwg4W
HP0h+OnRBv0ojYoP8q/lNma1pTcABOQVmYVm8Rg7/NaAmqAAquk0n03Y2+y5rfh2
G2FM3xlLzjBocephZeS30ZxkUhm12TnTf9P+0ZB7j0f8V7N9ecZy8NeUaTSWmjkW
czxbwjphePpK9A4xAaca5uoNrvQV4SarnAM1iVJb+zyA/qMRhR78giyfOVQjDGoX
Q2U0XovY/HECAwEAAaOCAV0wggFZMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeA
MCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9zZi5zeW1jYi5jb20vc2YuY3JsMGEG
A1UdIARaMFgwVgYGZ4EMAQQBMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1j
Yi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBh
MBMGA1UdJQQMMAoGCCsGAQUFBwMDMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcw
AYYTaHR0cDovL3NmLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3NmLnN5
bWNiLmNvbS9zZi5jcnQwHwYDVR0jBBgwFoAUz5mp6nsm9EvJjo/X8AUm7+PSp50w
HQYDVR0OBBYEFIKSJNBoZdrPFMTF6cPzFNk4c63aMA0GCSqGSIb3DQEBBQUAA4IB
AQDzz/hCjjc1kc15nqKjnFy/oiRPDhQpM+C5/bputO8q0AE0uUv17DcGuPQgbQsG
7gfDr4x2suxJfxasRBU2OKKWZfpUfuALqIC5oHviD/8UPU3gk8m+LiwgYr13i5sN
ujbBeUaa4WfzrQo+7+GvdfKPw/NpHnmrDSSRadM0AckpyhrLRqMkgVjvIz7t00Yd
AQoBhFvQTaOk/I8iIQqsQcK0qyVbdOJFnO7Wu16XNeSb0TxqFzXCsGoI0qDUCatm
1uDWPzIKL7omFDrKNxxGZhCoJAV4btgZE1Ys6NFWazUa43//lGl11f6pncXv7BQf
sIlwnYi5uqq1MvtD1mV57wWh
-----END CERTIFICATE-----

[VVP]

on Windows platform you can use cygwin package which contains openssl. or you can try the native Windows tool for certificates. I just want to see that the certificate you provided is validated by CA.

[koso]

I have checked and certificate is valid and trusted by system. Checked it also with OpenSSL from Cygwin, but it failed because I do not have public CA certificate available in cygwin environment.

Regarding appliance file, it is not my, but it is free to download from ​http://download.eset.com/download/ra/v6/Appliances/era_appliance.ova (size ~2.5GB). Problematic version 6.4.30.0 is still available to download.

[VVP]

I have downloaded the package from here ​http://download.eset.com/download/ra/v6/Appliances/era_appliance.ova. Run import procedure on Windows7 x64, the OVA package has been imported successfully via GUI.

Odd, but you couldn't have run the import procedure from the console as it was shown in the first example "C:\Users\...\Downloads>"C:\Program Files\VirtualBox\VBoxManage.exe" import <path to OVA file> 0%..." There is the license agreement inside the OVA package era_appliance.ova and user must agree with one before starting the procedure but it's not possible from CLI.

I can't confirm that your example is correct and relevant.

Using the command line utility "VBoxManage import era_appliance.ova" the import had failed due to the presence of the license agreement inside OVA package as i mentioned. It's normal. User is able to agree with the license only from GUI. Again there wasn't such error as you described.

[koso]

Thanks for testing it - at least I know that ova file is not corrupted and problem is somewhere on my machine.

I have checked VirtualBox sources and there is only one place where error code VERR_CR_PKIX_SIGNATURE_MISMATCH is used - and it seems for some reason, validation fails on cryptographic checks and not in building CA path.

Regarding VBoxManage: I actually never tried it to import ova file and I posted it here only to demonstrate that it also fails -> error shows up even before basic OVA file information/metadata is shown (name, version, vendor).

Any idea what could possibly interfere with signature verification?

[richbostock]

I had the same issue with the latest version of the same. Only thoughts are that i have cygwin installed and this came up with the following error:

$ openssl verify ERA_Appliance.cert ERA_Appliance.cert: C = SK, ST = Slovakia, L = Bratislava, O = "ESET, spol. s r. o.", OU = Digital ID Class 3 - Microsoft Software Validation v2, CN = "ESET, spo l. s r.o." error 20 at 0 depth lookup:unable to get local issuer certificate

My workaround was to extract the OVA using 7Zip and then rename the cert file so that it didn't pay any attention to it on import. However it is concerning that I had to do this.

[adrelanos]

Is this issue still reproducible?