Skip to main content
Cloud Volumes ONTAP
Azure
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • All cloud providers

Verify Azure marketplace image signature for Cloud Volumes ONTAP on Linux

Contributors netapp-manini netapp-driley
PDFs

Verification of an exported VHD file signature on Linux includes validating the chain of trust, editing the file, and verifying the signature.

Steps

  1. Download the Azure image file from the NetApp Support Site and extract the digest (.sig) file, public key certificate (.pem) file, and chain certificate (.pem) file.

    Refer to Download the Azure image digest file for more information.

  2. Verify the chain of trust.

    % openssl verify -CAfile Certificate-Chain-9.15.0P1_azure.pem Certificate-9.15.0P1_azure.pem
Certificate-9.15.0P1_azure.pem: OK

  3. Remove 1 MB (1,048,576 bytes) at the beginning and 512 bytes at the end of the VHD file. When using tail, the -c +K option generates bytes from the Kth byte of the file. Therefore, it passes 1048577 to tail -c.

    % tail -c +1048577 ./9150.01000024.05090105.vhd > ./sign.tmp.tail
% head -c -512 ./sign.tmp.tail > sign.tmp
% rm ./sign.tmp.tail

  4. Use OpenSSL to extract the public key from the certificate and verify the stripped file (sign.tmp) with the signature file and the public key.

    The command prompt displays messages indicating success or failure based on the verification.

    % openssl x509 -pubkey -noout -in ./Certificate-9.15.0P1_azure.pem > ./Code-Sign-Cert-Public-key.pub

% openssl dgst -verify Code-Sign-Cert-Public-key.pub -keyform PEM -sha256 -signature digest.sig -binary ./sign.tmp
Verification OK

% openssl dgst -verify Code-Sign-Cert-Public-key.pub -keyform PEM -sha256 -signature digest.sig -binary ./another_file_from_nowhere.tmp
Verification Failure

  5. Clean up the workspace.

    % rm ./9150.01000024.05090105.vhd ./sign.tmp
% rm *.sig *.pub *.pem