Cem ccaBadge
23

Comments

Fixing packages with expired signatures - heads up!

Posted 3/25/12 at 6:07 AM by Cem

Just seen this (see link) and I thought give you all heads up...
It's about expired certs in Apple flat packages and how to fix.
Thanks Greg!

http://managingosx.wordpress.com/2012/03/24/fixing-packages-with-expired-signatures/#comments

23

Comments

acdesigntech
Posted 3/25/12 at 1:08 PM by acdesigntech

I'll be scanning my CasperShare first thing Monday morning...

donmontalvo ccaBadge cugBadge
Posted 3/25/12 at 7:42 PM by donmontalvo

Yep, us too...not only the CasperShare, but I sent out an email blast to alert all the techs and support staff to purge old Apple PKG installers and replace with new ones.

This really underscores the lack of management oversight over at Apple. I wonder if (I hope) Apple will come to terms with the need for an enterprise guru. Someone like Ed Marzack, Greg Neagle, etc...

[EDIT] Does anyone know how this may impact our OS installers (which contain bunches of PKG installers)? :)

Don

acdesigntech
Posted 3/25/12 at 8:19 PM by acdesigntech

It's also going to affect ASUS -- http://support.apple.com/kb/HT5198

WTF Apple... it's REALLY time to start taking the enterprise seriously... I really wish I had come across this Friday AM, could've at least re-synced our SUS's over the weekend. As it is we're going to have to do this tomorrow evening...

At the very least we aren't using TOO many Apple pkgs via Casper. Most are home-brewed.

BTW, Thanks for the heads up about this, Cem!

donmontalvo ccaBadge cugBadge
Posted 3/26/12 at 12:30 PM by donmontalvo

From the MacEnterprise list:

Date: Mon, 26 Mar 2012 09:40:58 +1100
From: XXXXXXXXX
Subject: Re: Mac OS X Server: Software Update Certificate expires tomorrow!

My 10.6 server (with fixes for Lion updates) has seemed to copy all the updated updates without me needing to go through the process of removal of the previous updates.
All the updated updates are not dated with the same date and are dated in groups from 16 March through 23 March.

I did see a spike of downloads on the 23rd March, but only about 9GB or so, certainly not the 19GB that would happen if I'd emptied the html folder and started the download process from scratch.

I have tested it since and the updates install fine on a freshly DeployStudio restored machine running the SoftwareUpdates on first boot in the finalize script.

Has anyone else experienced this same behaviour (of not having to dump your SUS cache)?

Charlie

Cem ccaBadge
Posted 3/26/12 at 12:50 PM by Cem

Yes I have seen some logs that some Macs ran apdates successfully. Also seen few has failed. So I have decided to do purging and redownloading...

I will also run Greg's fix script on CasperShares.

Cem ccaBadge
Posted 3/26/12 at 3:47 PM by Cem

I seem to having problem running the checkPackageSignatures.py. It just hangs there very very long time and nothing else happens…

/Volumes/CasperShare/Packages/10.6.4 Vanilla.dmg:
Could not open package: /private/tmp/dmg.09cnHX/Library/Receipts/BSD.pkg

am I doing something wrong? or it just doesn’t like the BSD.pkg?

bentoms ccaBadge cugBadge
Posted 3/26/12 at 4:06 PM by bentoms

Took me a while on BSD too. Just left it running & went for lunch.

Cem ccaBadge
Posted 3/26/12 at 4:15 PM by Cem

oh ! cheers Ben!

mm2270 ccaBadge
Posted 3/26/12 at 4:45 PM by mm2270

Heh, I'm also seeing that a bunch of updates downloaded from Apple on 3/20 and 3/21, but nothing after that. Just tried the 10.7.3 combo on a machine that doesn't have it installed and Software Update is allowing it to download without complaints, so it seems at least some of them have fixed themselves. Still, it's definitely not everything, so we'll have to see what's now missing. I almost wonder if it would just be cleaner/safer to clear out the html folder and start fresh.

Cem ccaBadge
Posted 3/26/12 at 4:45 PM by Cem

I will run it overnight, as I have a quite few OS DMGs.

Cem ccaBadge
Posted 3/26/12 at 4:53 PM by Cem

@mm2270 ; thats what i have down and all looks good so far. Only annoying part was some of the packages didn't remember being enabled. So I had to take the screen grabs to compare, before I have proceeded.

nkalister cjaBadge
Posted 3/26/12 at 4:56 PM by nkalister

FYI- There are 2 packages with the expired certificate in the InstallESD.dmg file from the app store as of 1pm PST this afternoon . . . so make sure to fix your OS install, too! Took me a bit to figure out why imaging was suddenly broken this morning, but the expired certificate was the culprit.

bentoms ccaBadge cugBadge
Posted 3/26/12 at 4:58 PM by bentoms

Just about to post the same info!

Cem ccaBadge
Posted 3/26/12 at 5:12 PM by Cem

what are packages? also could you confirm it was 10.7.3?

bentoms ccaBadge cugBadge
Posted 3/26/12 at 5:14 PM by bentoms

RemoteDesktop.pkg & SIUResources.pkg

Downloaded 10.7 install from app store this evening.

Cem ccaBadge
Posted 3/26/12 at 5:17 PM by Cem

I will keep my eyes peeled for these...

nkalister cjaBadge
Posted 3/26/12 at 5:24 PM by nkalister

yup, like ben said, it's remote desktop and SIU resources, and this is definitely the current 10.7.3 InstallESD.dmg file downloaded from the app store on 3/26/2012
The error that was showing in install.log before I ran Greg's script on the InstallESD.dmg file was:
Mar 26 12:33:08 nbkali-mba installer[22366]: Failed install preflight: Error Domain=PKInstallErrorDomain Code=102 "The package “RemoteDesktop.pkg” is untrusted." UserInfo=0x7fe16387b140 {NSLocalizedDescription=The package “RemoteDesktop.pkg” is untrusted., NSURL=RemoteDesktop.pkg -- file://localhost/Volumes/Mac%20OS%20X%20Install%20ESD/Packages/OSInstall.mpkg, PKInstallPackageIdentifier=com.apple.pkg.RemoteDesktop, NSUnderlyingError=0x7fe1638a7fc0 "The operation couldn’t be completed. CSSMERR_TP_CERT_EXPIRED"}

Cem ccaBadge
Posted 3/26/12 at 5:28 PM by Cem

Apple got to sort out this mess... its not just usual Enterprise ignorance, its also consumer level!!!??

donmontalvo ccaBadge cugBadge
Posted 3/26/12 at 6:27 PM by donmontalvo

That this effects consumers might just be the ticket for Apple to fix this issue...if it only effected enterprise I'm sure they'd just blow it off.

Don

heathjw ccaBadge
Posted 4/2/12 at 9:01 AM by heathjw

So I understand the ramifications for SUS. What about our CasperShares? Are we doing to have to re-download and replace those pre-packaged pkgs that we got from Apple? We don't have many I just want to clarify what action is required to keep things running smoothly.

gregneagle
Posted 4/2/12 at 10:08 AM by gregneagle

Yes, you'll need to replace or fix any packages in your CasperShares that have expired signatures if you want to be able to continue using Casper to install them.

jonscott cmaBadge ccaBadge
Posted 4/11/12 at 12:59 PM by jonscott

Thanks for the helpful info, one and all! Especially Greg for those tools.

Unfortunately, I seem to have trouble with a couple older monolithic images still in use. (Yes, I'm trying to revamp imaging here, but it's a slooow work in progress...)

When Greg's 'checkPackageSignatures' scans my repository, it does throw those BSD.pkg errors similar to
Could not open package: /private/tmp/dmg.fhUwhJ/Library/Receipts/BSD.pkg

For most, I know I can ignore that. But for some older monolithic images still in use, in addition to the BSD.pkg error above, I still get various "Package X signed by a cert that has since expired" messages as well.

So... this doesn't make sense to me. But pushing one of those images via Casper results in a machine that kernel panics every time I try to boot (plus 2+ hours to finish imaging). Any ideas? Running the flatpkgfixer script on the image throws errors too.

Is anyone else having trouble imaging with existing OS images build with "bad" packages? As I said, it doesn't make sense to me, so if anyone can explain I'll appreciate it! This is a monolithic image built on one machine and uploaded to Casper. It's big (read 100gb) but has worked fine enough so far. No one has imaged with it since before the Package Apocalypse until I tested it this week.

If we do need to rebuild these from scratch, it'll be a good excuse to move to a more modular style...

Thanks,
Jon

jonscott cmaBadge ccaBadge
Posted 4/11/12 at 1:07 PM by jonscott

I just realized my imaging problem may be related to the hardware I'm restoring to, regardless of the feedback I see from the PA scripts...

Will try pushing this image to newer hardware soon...