Opened 5 years ago
#19440 new defect
OVF import fails due to incorrect validation of SHA256 digests
| Reported by: | radnaj | Owned by: | |
|---|---|---|---|
| Component: | OVF | Version: | VirtualBox 6.1.4 |
| Keywords: | ovc, hash, sha256 | Cc: | |
| Guest type: | all | Host type: | Linux |
Description
When importing a virtual machine (VM) from .ovf file that is accompanied by a .mf file that specifies file integrity hashes using SHA256, the importer (both fom the GUI or using VBoxManage) check the integrity of the files as part of the import process.
Specifically, the file I am seeing the issues is the hard drive of the VM, provided in VMDK format. The importer exits with an error indicating that the digest of the VMDK file does not match the one in the .mf file, but using tools such as sha256 sum I see that the hash does match (see output below).
$ VBoxManage import ~/vms/testvm0146.ovf
(...snip...)
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...
Progress state: VBOX_E_FILE_ERROR
VBoxManage: error: Appliance import failed
VBoxManage: error: Digest mismatch (VERR_NOT_EQUAL): Attribute 'SHA256' on
'testvm0146-0.vmdk' does not match
('03d3ec55ec53133041967054525ca1fbf8714208f9be242219e85a24f0745de9' vs.
'19ffb23de176d73835fe3528d5b4e5a5aac3c15b5e83fc7732f888c6c2d47f9d')
VBoxManage: error: Details: code VBOX_E_FILE_ERROR (0x80bb0004), component
ApplianceWrap, interface IAppliance
VBoxManage: error: Context: "RTEXITCODE handleImportAppliance(HandlerArg*)" at
line 1118 of file VBoxManageAppliance.cpp
However, sha256sum gives the following output:
$ sha256sum ~/vms/testvm0146-0.vmdk 03d3ec55ec53133041967054525ca1fbf8714208f9be242219e85a24f0745de9 /home/me/vms/testvm0146-0.vmdk
Additionally, sha246deep also provides the same hash:
$ sha256deep ~/vms/testvm0146-0.vmdk 03d3ec55ec53133041967054525ca1fbf8714208f9be242219e85a24f0745de9 /home/me/vms/testvm0146-0.vmdk
The contents of the testvm0146.mf file are:
$ cat ~/vms/testvm0146.mf SHA256(testvm0146-0.vmdk)= 03d3ec55ec53133041967054525ca1fbf8714208f9be242219e85a24f0745de9 SHA256(testvm0146-1.nvram)= 4615577454b8ea7c464f4aee064936e48db52ddb08f23e9ea74ade5e12fce8ce SHA256(testvm0146.ovf)= 7cbaf2f6dc9ada576ae99ba0f5ef001432650581ad401d4312f297d2737ced49
As can be seen, the output of sha256sum and the .mf file match
(03d3ec55ec53133041967054525ca1fbf8714208f9be242219e85a24f0745de9), but for
some reason virtualbox determines the SHA256 hash to be
19ffb23de176d73835fe3528d5b4e5a5aac3c15b5e83fc7732f888c6c2d47f9d, and thus the
comparison fails.
This has been seen both in Oracle Virtualbox packages (in Ubuntu) as well as Debian-packaged virtualbox (in Debian), which suggests the issue is probably upstream in virtualbox.
