- Overview
- Product Documentation
- CML 2.8 Release Notes
- CML 2.8 Installation Guide
- CML 2.8 User Guide
- CML 2.8 Admin Guide
- CML Administrator's Guide
- Cisco Modeling Labs System Overview
- System Defaults
- Creating a New Node Definition
- Node Definition SMBIOS Parameters Specification
- Custom VM Images
- Clustering
- CML Admin Tools
- System Settings
- Networking
- Resources
Verifying Signatures of Downloaded Files¶
We provide Open Virtual Appliance (OVA), PKG and ISO images as our signed artifacts. For more details on the signature verification, please see the corresponding sections below. If you encounter any issues or have further questions about the signature verification process, contact support for assistance.
OVA Verification Process¶
VMware products, such as VMware Workstation, VMware Player, or VMware vSphere, have built-in capabilities to validate the integrity of an OVA file using this embedded signature.
The details of this process may vary with VMware product, version, and configuration, but the OVA verification process involves the following steps:
Import the OVA File: When you import the OVA file into VMware software, the import wizard automatically checks the integrity of the OVA package. This includes verifying the hashes of the files contained within the OVA against the digests specified in the manifest file.
Check for Validation Messages: During the import process, the VMware software will alert you if there are any issues with the signature or the integrity of the files. If the hashes do not match (indicating that the files may have been tampered with), the software may warn you or refuse to continue with the import.
Digital Signature Verification: VMware software uses embedded certificates within the OVA to verify the signature. This ensures that the OVA package is from a trusted source and has not been altered.
Completing the Import: If the integrity and signature verification checks pass, you can proceed with the import process and start using the virtual appliance.
Note
If you encounter any validation errors or warnings during the import process, verify the TrustID EV Code Signing CA 4 Root CA Certificate and the Issuing CA Certificate have been imported into your VMWare vSphere’s trusted root certificate store. If the certificates are not present, you may need to download them from Cisco Code Signing Certificate Issuers and import them manually. Refer to the VMware vSphere documentation for the version of vSphere that you are using for more information on the certificate management in that product.
PKG and ISO Verification Process¶
Note
Please note that the signature verification process described herein is intended exclusively for MacOS and Linux operating systems. Currently, Windows does not support the signature verification steps as outlined in our documentation.
For the verification of PKG and ISO image artifacts, our process requires the presence of python3 and OpenSSL libraries. These are essential tools for validating the integrity and authenticity of the downloaded files.
Prerequisites:
MacOS or Linux operating system
Python3
OpenSSL
For MacOS users, Python3 can typically be installed via Homebrew with the command
brew install python3. OpenSSL is usually pre-installed on MacOS, but if you need to
install or update it, you can use brew install openssl.
Linux users can install Python3 and OpenSSL using their distribution’s package manager.
For example, on Ubuntu or Debian-based systems, you can use the following commands:
`
sudo apt update
sudo apt install python3
sudo apt install openssl
`
For ISO files, please be aware that they are archived in a .zip format and must be unarchived before proceeding with the verification. The necessary files for verification include:
A signature file (
*.signature)A README file with specific instructions (
*.README)The ISO artifact itself (
cml2_*.isoorcml2_*.pkg)A verification script (
cisco_x509_verify_release.py3)The public certificate (
CML-IMG-REL-CCO_RELEASE.pem)
Detailed instructions for the verification process, including the use of the verification script and the public certificate, can be found within the README file accompanying the downloaded artifacts. We strongly advise following these instructions carefully to ensure a successful verification of the PKG or ISO image artifacts.