If you export a virtual machine/vApp using the vSphere Client or the ovftool, the manifest file is automatically generated for you and it ends with .mf extension.
To create the manifest file, run the following command for all files to be signed:
openssl sha1 *.vmdk *.ovf > MyVM.mf
You can use cat utility to view the contents of the manifest file:
ovftool --privateKey=ghetto.pem MyVM.ovf MyVM-Signed.ovf
Note: There is no space between --privateKey= and the path to X.509 certifcate, else you may get an odd error message.
If the signing was successful, you should not see any errors:
You will find that the OVF has been signed under the "Manifest Info" section:
For more details and examples of using the ovftool, take a look at the user guide here.