6 Replies Latest reply on May 24, 2016 6:15 AM by cwinning

    Resigned updates will not deploy

    croth2 Apprentice

      So my Code Signing certificate was running out, so I renewed it from my Enterprise CA.  Put that new certificate in the GPO to deploy that certificate to all servers and clients as a Trusted Publisher.  I do not add it to the Root certificates since it is an Enterprise CA signed certificate the Root of the Domain CA is trusted.  This works fine.  Verified the servers and clients got the certificate.  In Shavlik Patch add-in in SCCM Console, opened settings and added the new certificate.  Went to my Published Third-Party Updates and "Resigned" all of them.  Followed the AutoPublish log file, all resigned successfully.

       

      When I tried running the 3rd Party updates from OSD I error stating "not trusted", those are below.

       

      FATAL: Error: 0x800b0101 when verifying trust for C:\WINDOWS\SoftwareDistribution\Download\f7bf7d67462c3c29b29c2ee8067a74fd_ctc\984ad00b-ba88-44ed-8e7a-809bd38d6a40_1.cab

      WARNING: Digital Signatures on file C:\WINDOWS\SoftwareDistribution\Download\f7bf7d67462c3c29b29c2ee8067a74fd_ctc\984ad00b-ba88-44ed-8e7a-809bd38d6a40_1.cab are not trusted: Error 0x800b0101

       

      That was because I forgot to update the package I use to deploy the trusted publisher certificate and registry keys needed to deploy 3rd party updates during OSD.  Fixed that package and the errors went away.  So now it recognizes the certificate and trusts it.

       

      Now to the current problem, I am getting a download error on any updates that were already deployed before I resigned them.  New updates I download for this month are signed, deploying, and installing properly.  However, the update I had already deployed are not.

       

      So with that in mind, I figured "Update Distribution Points" on the package containing the 3rd party updates.  Still not working.  Then went back to Shavlik Third-Party Updates and Republished all the updates I had previously deployed.  This was successfully according to the AutoPublish log, but still did not resolve the issue.  I then "Update Distribution Points" on the package containing the 3rd party updates, again.  Still no luck.

       

      Additional information, in "All Software Updates" I found that the "Date Released or Revised" is not updated.  I don't know if it should be or not.

       

      So need some help as to what may be going on.  Secondly, even if someone can provide the proper procedure for resigning updates I can see if I was doing it right.

        • 1. Re: Resigned updates will not deploy
          cwinning CommunityTeam

          Hello,

           

          Without doing a deep-dive through a WebEx, I think the best course of action would be to delete the published patch using Shavlik Patch 2.2 and the publish it again to see if it corrects the behavior.

           

          Thanks,

          Charles

          • 2. Re: Resigned updates will not deploy
            croth2 Apprentice

            Unfortunately, I had already been taking steps to troubleshoot prior to getting this post.  Let me know if what you are suggesting does what I did.  If not, how does it differ?


            - Had to remove all memberships that included deployments (or delete deployments
            - - I chose to remove all memberships
            - Delete the updates from the software Deployment Package

            - Wait for all DPs to be Green
            - Download the updates again to the package

            - Wait for all DPs to be Green

            - Add memberships to already deployed SUGs back to the newly downloaded
            - On client Machine policy and Software update deployment evaluation
            - New updates are downloaded and deployed successfully

             

            Prior to doing all that I tried several combinations of similar actions.  Creating a new deployment with same files, fail.  Downloaded updates without deleting first, fail as it knew they were already downloaded and didn't download new.  Etc.  The above seemed to be the right combination.

             

            Again, please let me know if what you are suggesting does what I did.  If not, how does it differ?  Secondly, please explain the procedure that would be needed and what Shavlik does when I click Delete in "Shavlik Third-Party Updates".

            • 3. Re: Resigned updates will not deploy
              cwinning CommunityTeam

              Hello,

               

              Did you use the Delete feature in Shavlik Patch?  It looks like you manual remove the patch from SCCM, WSUS.  I would suggest deleting it using the Shavlik Patch and then allowing it time to perform the deletion. (we perform a lot of tasks to make sure the deletion is a complete removal)

               

              Other than that, I don't have any suggestion with the information I have.

               

              Charles

              • 4. Re: Resigned updates will not deploy
                cwinning CommunityTeam

                Hello,

                 

                One thing I should mention is there are some manual steps you need to do when resigning patches through Shavlik Patch. Although it does look like you covered those steps...

                 

                This video goes them: How to Re-sign Updates from LANDESK Software on Vimeo

                 

                Charles

                • 5. Re: Resigned updates will not deploy
                  croth2 Apprentice

                  That video is great.  Has exactly what I would have needed to avoid the headache I had.

                  • 6. Re: Resigned updates will not deploy
                    cwinning CommunityTeam

                    My apologies I wasn't able to immediately recognize that, glad it helped though.

                     

                    Charles