Skip to main content
Cloud Volumes ONTAP
Azure
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • All cloud providers

Verify Azure marketplace image signature for Cloud Volumes ONTAP on macOS

Contributors netapp-manini netapp-driley
PDFs

Verification of an exported VHD file signature on Linux includes validating the chain of trust, editing the file, and verifying the signature.

Steps

  1. Download the Azure image file from the NetApp Support Site and extract the digest (.sig) file, public key certificate (.pem) file, and chain certificate (.pem) file.

    Refer to Download the Azure image digest file for more information.

  2. Verify the chain of trust.

    % openssl verify -CAfile Certificate-Chain-9.15.0P1_azure.pem Certificate-9.15.0P1_azure.pem
Certificate-9.15.0P1_azure.pem: OK

  3. Remove 1MB (1,048,576 bytes) at the beginning and 512 bytes at the end of the VHD file. When using tail, the -c +K option generates bytes from the Kth byte of the file. Therefore, it passes 1048577 to tail -c. Note that on macOS, the tail command might take about ten minutes to complete.

    % tail -c +1048577 ./9150.01000024.05090105.vhd > ./sign.tmp.tail
% head -c -512 ./sign.tmp.tail > sign.tmp
% rm ./sign.tmp.tail

  4. Use OpenSSL to extract the public key from the certificate and verify the stripped file (sign.tmp) with the signature file and public key. The command prompt displays messages indicating success or failure based on the verification.

    % openssl x509 -pubkey -noout -in ./Certificate-9.15.0P1_azure.pem > ./Code-Sign-Cert-Public-key.pub

% openssl dgst -verify Code-Sign-Cert-Public-key.pub -keyform PEM -sha256 -signature digest.sig -binary ./sign.tmp
Verified OK

% openssl dgst -verify Code-Sign-Cert-Public-key.pub -keyform PEM -sha256 -signature digest.sig -binary ./another_file_from_nowhere.tmp
Verification Failure

  5. Clean up the workspace.

    % rm ./9150.01000024.05090105.vhd ./sign.tmp
% rm *.sig *.pub *.pem