WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple
You are here: Home / OVFTool / Default hashing algorithm changed in OVFTool 4.2 preventing OVF/OVA import using vSphere C# Client

Default hashing algorithm changed in OVFTool 4.2 preventing OVF/OVA import using vSphere C# Client

11.18.2016 by William Lam // 11 Comments

After upgrading my home lab recently to vSphere 6.5, I also updated some of the related utilities such as the various SDKs and CLIs. One of the CLIs that I had updated was the latest version of OVFTool which is now at 4.2. I use OVFTool extensively to automate various Virtual Machine deployments (import/export). While testing out a new OVA that I had been working on, I needed to verify that it also worked with previous release of vSphere like vSphere 6.0 Update 2. I happen to have the vSphere C# Client open and connected to a vCenter Server and when I tried to import the newly created OVA, but it failed with the following error message:

The following manifest file entry(line1) is invalid: SHA256

screen-shot-2016-11-17-at-7-37-47-am
I was pretty surprised by this since I went through this exact same workflow a couple of days ago without any problems. The only change that had happened was OVFTool and error seems to indicate an issue with the hashing algorithm. I ran OVFTool again using just the --help option to check what the default SHA hashing algorithm was, it was SHA256. I then compared that to an older version of OVFTool and it looks like the default had changed from SHA1 to SHA256.

From a security standpoint, this is a positive change as SHA1 is no longer considered a secure hashing algorithm and a stronger version should be used. It also turns out that the vSphere C# Client can only support SHA1 which is why I received the error after upgrading to the new version of OVFTool. Luckily, this is NOT a problem when using the vSphere Web Client or the vSphere HTML5 Client and only affects the vSphere C# Client. If you do need to use the vSphere C# Client for importing OVF/OVAs exported from the latest version of OVFTool, the workaround is quite simple, just override the default hashing algorithim when exporting by adding the additional CLI option:

--shaAlgorithm=sha1

More from my site

  • Quick Tip - Import OVF/OVA as VM Template using OVFTool 4.3 Update 1
  • Workaround to deploy vSphere Integrated Containers 1.1 OVA using PowerCLI (SHA256 not supported)
  • Heads Up: OVF/OVA always deployed as Thick on VSAN when using vSphere Web Client
  • Caveat when deploying Photon Controller Installer (v0.8) OVA to vCenter Server
  • How to deploy and run the VSAN 6.1 Witness Virtual Appliance on VMware Fusion & Workstation?

Categories // OVFTool, vSphere Web Client Tags // ova, ovf, ovftool, sha1, sha256

Comments

  1. Ionuţ-Dan Nica says

    11/18/2016 at 2:45 pm

    Oh how I wish export-vapp would have a -shaalgoritm parameter

    Reply
    • William Lam says

      11/19/2016 at 7:13 am

      Thanks for the feedback, I'll be sure to share this with the PowerCLI PM as I agree, that would be a useful feature to include since OVFTool has offered this for some time.

      Reply
  2. Jon Hemming says

    04/06/2017 at 8:56 pm

    Curious .... is SHA1 completely disabled in the vSphere 6.5 web client (either or)?

    From a packaging standpoint, it might be good for vendors to package an OVA/OVF under SHA1 and SHA256 for those who want to use specific clients/interfaces.

    Reply
    • Prabhu says

      05/13/2017 at 1:06 pm

      is there any wat to have SHA1 and SAH256 signature value in .mf file?

      Reply
      • Jon Hemming says

        06/14/2017 at 6:59 am

        Not that I'm aware of. The manifest is really just like a checksum file and has a single checksum per file.

        Reply
  3. mdiehn says

    06/09/2017 at 4:01 pm

    For all us Linux-only admins out here, for whom the WebUI can't have the plugins that allow OVF deployment to work, I offer this, which worked for me:

    1. Use tar to unpack the ova.
    2. Use sha1sum to calculate the sha1 checksums for the files listed in the .mf file ...
    3. ... and replace the lines in the .mf with ones using the sha1sums you calculated.

    Reply
  4. Saleem says

    09/25/2017 at 6:49 am

    Thanks for the article.
    I have an ova generated with vCenter 5.5
    Now I could not deploy it with vCenter web client 6.5 version with Checksum error.
    "The checksum from the provided manifest files not match the content of the file(s) my.ovf"

    Reply
  5. Manish says

    10/26/2017 at 5:22 am

    Hi William,

    Seems like you use ovftool significantly. I have this small problem with the tool.
    When I run the ovftool --help config I expect it to print the help contents & along with that the local configuration should be read & printed. But it always says no local configuration found. I have the .ovftool file created in my current directory. Any idea what could be the problem...?

    Reply
  6. Jeremy says

    02/11/2018 at 1:29 am

    Thank you, very helpful!

    Reply
  7. Stuart Bolton says

    07/24/2018 at 1:04 pm

    I ran into this while attempting to transfer an OVF from a 6.5 web-client environment to a 5.5 thick-client environment. All I had to do was rename/delete the old .mf manifest file, and then recreate it by running:
    openssl sha1 myvmname-1.vmdk myvmname.ovf > myvmname.mf

    Reply
  8. Aleks says

    08/04/2019 at 5:30 pm

    Thanks man, it helped me 🙂

    Reply

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native technologies, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC)

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • How to disable the Efficiency Cores (E-cores) on an Intel NUC? 03/24/2023
  • Changing the default HTTP(s) Reverse Proxy Ports on ESXi 8.0 03/22/2023
  • NFS Multi-Connections in vSphere 8.0 Update 1 03/20/2023
  • Quick Tip - How to download ESXi ISO image for all releases including patch updates? 03/15/2023
  • SSD with multiple NVMe namespaces for VMware Homelab 03/14/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023

 

Loading Comments...