Pitfalls of the WSUS Package Publisher

About how I deployed Package Publisher and a problem whose solution I could not find on the Internet
Unable to verify the signature for the file \\ [serverName] \ UpdateServicesPackages \ AppName_abf10b91-bfa6-44ff-aa54-099e4bf1487d \ a7f3d4b2-02b6-4f0c-ab9b-e38c8de9c3f0_1.cab
Verification of file signature failed for file: \\ [serverName] \ UpdateServicesPackages \ AppName_abf10b91-bfa6-44ff-aa54-099e4bf1487d \ a7f3d4b2-02b6-4f0c-ab9b-e38c8de9c3f0_1.cab

Somehow they set me the task of deploying an update server in our small grid for 1000 machines. In general, administration is not my main task, and for the last two years I have seen windows in my eyes only on very big holidays. But the beloved IT service said: “You need it for the security guards, so do it.”

So, having gathered my will into a fist, I went to read the WSUS deployment manuals. And if everything is simple, clear, and all the problems that could arise have already been encountered by someone and have long been described in the forums, then many questions arose with Package Publisher.

Why was he needed at all? Because there was a need to centrally update not only the Microsoft system and applications, but also third-party ones, in particular Firefox. And only on those machines on which it is already installed. (As an alternative, LUP was also considered, the functionality is about the same, but kind people on the forums said that it is no longer supported and integrates with WinServ2016 much more difficult.)

So, WSUS was deployed. Why you should love Windows is “Next -> Next -> Done, you are delightful.” It's time for Package Publisher. All links that are, in principle, on the Internet to him, lead here . There is also a link to git, which describes the installation process in detail. Namely: download the archive, unzip it, run “Wsus Package Publisher.exe”.

In linukha I got used to just clone repositories in github. But for what you should not love Windows, everything does not work there. If you download the repository by simply clicking on the green button, then, horror, there will not be an EXE file in the archive. Seriously, I tried for 20 minutes to figure out what the catch was and where I lost it. It turned out that you just need to download a specific release .

Installation pleased, or rather its absence. The EXE-shnik starts, without any installation, it finds WSUS (deployed on the same machine) and when connected to it, it displays a message about the lack of a certificate and the inability to publish updates.

It is logical to assume that the next step is to feed the WSUS Package Publisher certificate (Tools -> Certificate). You can generate a self-signed. But I really didn’t want to do that. Moreover, a colleague recently deployed a local certification server. Interestingly, the certificate download button becomes active only after entering a passphrase . "Close." After checking in the mmc console that the certificate I needed was in the “WSUS” container, and all those associated with “trusted publishers” and “trusted root certification authorities”, I sincerely hoped that after restarting WSUS, I would be happy. Yeah!

When creating an update (you can read about how to do this for Firefox here ), the last step is an error: “Verification of file signature failed for file:
\\ [serverName] \ UpdateServicesPackages \ AppName_abf10b91-bfa6-44ff-aa54-099e4bf1487d \ a7f3d4b2-02b6-4f0c-ab9b-e38c8de9c3f0_1.cab "(Unable to verify the signature for the file ...). Google says the reason is that the certificate is not enough in the "trusted root certificate authorities" container. But he was there! And not only him! Where I just did not try to put it. To no avail.

After an hour and a half of unsuccessful attempts, I gave up and decided to still use the self-signed WPP certificate. Do not believe what I saw by going to the mmc console.

A special certificate

is generated for signing the code . That is, the certificate must be generated specifically for signing the code . More importantly, the private key must be exportable! And then it’s a technical matter, with the help of GPO to distribute the chain of certificates on the network machines (here already without a private key), and you can centrally install and update any applications.

So, if you get a Verification of file signature failed for file error , or any other similar:

  1. We generate a certificate for our WSUS where Package Publisher is installed at the local Code Signing Certificate Authority. The private key must be exportable.
  2. We export the certificate with the private key and add it to the Package Publisher after entering the secret key. Restarting WSUS.
  3. We export without a private key and distribute to client machines.
  4. We update and install any application centrally and enjoy life.

Also popular now: