Just seen this (see link) and I thought give you all heads up...
It's about expired certs in Apple flat packages and how to fix.
Yep, us too...not only the CasperShare, but I sent out an email blast to alert all the techs and support staff to purge old Apple PKG installers and replace with new ones.
This really underscores the lack of management oversight over at Apple. I wonder if (I hope) Apple will come to terms with the need for an enterprise guru. Someone like Ed Marzack, Greg Neagle, etc...
[EDIT] Does anyone know how this may impact our OS installers (which contain bunches of PKG installers)? :)
It's also going to affect ASUS -- http://support.apple.com/kb/HT5198
WTF Apple... it's REALLY time to start taking the enterprise seriously... I really wish I had come across this Friday AM, could've at least re-synced our SUS's over the weekend. As it is we're going to have to do this tomorrow evening...
At the very least we aren't using TOO many Apple pkgs via Casper. Most are home-brewed.
BTW, Thanks for the heads up about this, Cem!
From the MacEnterprise list:
Subject: Re: Mac OS X Server: Software Update Certificate expires tomorrow!
My 10.6 server (with fixes for Lion updates) has seemed to copy all the updated updates without me needing to go through the process of removal of the previous updates.
All the updated updates are not dated with the same date and are dated in groups from 16 March through 23 March.
I did see a spike of downloads on the 23rd March, but only about 9GB or so, certainly not the 19GB that would happen if I'd emptied the html folder and started the download process from scratch.
I have tested it since and the updates install fine on a freshly DeployStudio restored machine running the SoftwareUpdates on first boot in the finalize script.
Has anyone else experienced this same behaviour (of not having to dump your SUS cache)?
I seem to having problem running the checkPackageSignatures.py. It just hangs there very very long time and nothing else happens…
Could not open package: /private/tmp/dmg.09cnHX/Library/Receipts/BSD.pkg
am I doing something wrong? or it just doesn’t like the BSD.pkg?
Heh, I'm also seeing that a bunch of updates downloaded from Apple on 3/20 and 3/21, but nothing after that. Just tried the 10.7.3 combo on a machine that doesn't have it installed and Software Update is allowing it to download without complaints, so it seems at least some of them have fixed themselves. Still, it's definitely not everything, so we'll have to see what's now missing. I almost wonder if it would just be cleaner/safer to clear out the html folder and start fresh.
yup, like ben said, it's remote desktop and SIU resources, and this is definitely the current 10.7.3 InstallESD.dmg file downloaded from the app store on 3/26/2012
The error that was showing in install.log before I ran Greg's script on the InstallESD.dmg file was:
Thanks for the helpful info, one and all! Especially Greg for those tools.
Unfortunately, I seem to have trouble with a couple older monolithic images still in use. (Yes, I'm trying to revamp imaging here, but it's a slooow work in progress...)
When Greg's 'checkPackageSignatures' scans my repository, it does throw those BSD.pkg errors similar to
Could not open package: /private/tmp/dmg.fhUwhJ/Library/Receipts/BSD.pkg
For most, I know I can ignore that. But for some older monolithic images still in use, in addition to the BSD.pkg error above, I still get various "Package X signed by a cert that has since expired" messages as well.
So... this doesn't make sense to me. But pushing one of those images via Casper results in a machine that kernel panics every time I try to boot (plus 2+ hours to finish imaging). Any ideas? Running the flatpkgfixer script on the image throws errors too.
Is anyone else having trouble imaging with existing OS images build with "bad" packages? As I said, it doesn't make sense to me, so if anyone can explain I'll appreciate it! This is a monolithic image built on one machine and uploaded to Casper. It's big (read 100gb) but has worked fine enough so far. No one has imaged with it since before the Package Apocalypse until I tested it this week.
If we do need to rebuild these from scratch, it'll be a good excuse to move to a more modular style...