This project has moved. For the latest updates, please go here.

[Solved] Verification of file signature failed for file

Topics: Publishing Issue
Apr 25, 2013 at 9:34 PM
Edited Apr 25, 2013 at 9:36 PM
Hi there,

Have just gotten the software setup, and have been very happy with how well the documentation was put together. So far step by step install and certificate import went well.

However now when following the instructions on distributing flash update get the following error when going to publish:

Verification of file signature failed for file: \SRV-V-WSUS\UpdateServicesPackages\fc13f328-82df-437d-a04d-6a5a15c19120\001ffc87-053e-449d-ae52-100d73988d18_1.cab

Now, perhaps I'm trying to have my cake and eat it too, but my WSUS server is set not to store updates locally, but on windows update. Could this be the reason? Or am I missing something obvious?

Thanks!
See the end of this message for details on invoking 
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.InvalidOperationException: Verification of file signature failed for file: \\SRV-V-WSUS\UpdateServicesPackages\fc13f328-82df-437d-a04d-6a5a15c19120\001ffc87-053e-449d-ae52-100d73988d18_1.cab
   at Microsoft.UpdateServices.Internal.BaseApi.Publisher.GetLocalFileDetails()
   at Microsoft.UpdateServices.Internal.BaseApi.Publisher.VerifyAndPublishPackage()
   at Microsoft.UpdateServices.Internal.BaseApi.Publisher.PublishPackage(String sourcePath, String additionalSourcePath, String packageDirectoryName, Boolean dualSign, String httpTimeStamp)
   at Microsoft.UpdateServices.Internal.BaseApi.Publisher.PublishPackage(String sourcePath, String additionalSourcePath, String packageDirectoryName)
   at Wsus_Package_Publisher.WsusWrapper.PublishUpdate(FrmUpdateFilesWizard filesWizard, FrmUpdateInformationsWizard informationsWizard, FrmUpdateRulesWizard isInstalledRulesWizard, FrmUpdateRulesWizard isInstallableRulesWizard)
   at Wsus_Package_Publisher.FrmUpdatePublisher.Publish()
   at Wsus_Package_Publisher.FrmUpdateWizard.updateIsInstallableRulesWizard_btnNext_Click(Object sender, EventArgs e)
   at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
   at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.ButtonBase.WndProc(Message& m)
   at System.Windows.Forms.Button.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Loaded Assemblies **************
mscorlib
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.18033 built by: FX45RTMGDR
    CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll
----------------------------------------
Wsus Package Publisher
    Assembly Version: 1.1.1304.12
    Win32 Version: 1.1.1304.12
    CodeBase: file:///C:/Users/administrator.VACANADA/Downloads/Release%20v1.1.1304.12%20(x64)/Wsus%20Package%20Publisher.exe
----------------------------------------
System.Windows.Forms
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.18037 built by: FX45RTMGDR
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.18022 built by: FX45RTMGDR
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.18033 built by: FX45RTMGDR
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
Microsoft.UpdateServices.Administration
    Assembly Version: 4.0.0.0
    Win32 Version: 6.2.9200.16384
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.UpdateServices.Administration/v4.0_4.0.0.0__31bf3856ad364e35/Microsoft.UpdateServices.Administration.dll
----------------------------------------
System.Configuration
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.17929 built by: FX45RTMREL
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.18033 built by: FX45RTMGDR
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
Wsus Package Publisher.resources
    Assembly Version: 1.1.1304.12
    Win32 Version: 1.1.1304.12
    CodeBase: file:///C:/Users/administrator.VACANADA/Downloads/Release%20v1.1.1304.12%20(x64)/en/Wsus%20Package%20Publisher.resources.DLL
----------------------------------------
CheckComboBox
    Assembly Version: 1.1.1212.22
    Win32 Version: 1.1.1212.22
    CodeBase: file:///C:/Users/administrator.VACANADA/Downloads/Release%20v1.1.1304.12%20(x64)/CheckComboBox.DLL
----------------------------------------
Microsoft.UpdateServices.Utils
    Assembly Version: 4.0.0.0
    Win32 Version: 6.2.9200.16384
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.UpdateServices.Utils/v4.0_4.0.0.0__31bf3856ad364e35/Microsoft.UpdateServices.Utils.dll
----------------------------------------
Microsoft.UpdateServices.BaseApi
    Assembly Version: 4.0.0.0
    Win32 Version: 6.2.9200.16384
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.UpdateServices.BaseApi/v4.0_4.0.0.0__31bf3856ad364e35/Microsoft.UpdateServices.BaseApi.dll
----------------------------------------
System.Core
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.17929 built by: FX45RTMREL
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
----------------------------------------
Microsoft.UpdateServices.DBlayer
    Assembly Version: 4.0.0.0
    Win32 Version: 6.2.9200.16384
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.UpdateServices.DBlayer/v4.0_4.0.0.0__31bf3856ad364e35/Microsoft.UpdateServices.DBlayer.dll
----------------------------------------
System.Data
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.18033 built by: FX45RTMGDR
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_64/System.Data/v4.0_4.0.0.0__b77a5c561934e089/System.Data.dll
----------------------------------------
Microsoft.UpdateServices.StringResources
    Assembly Version: 4.0.0.0
    Win32 Version: 6.2.9200.16384
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.UpdateServices.StringResources/v4.0_4.0.0.0__31bf3856ad364e35/Microsoft.UpdateServices.StringResources.dll
----------------------------------------
Microsoft.UpdateServices.AdminDataAccessProxy
    Assembly Version: 4.0.0.0
    Win32 Version: 6.2.9200.16384
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.UpdateServices.AdminDataAccessProxy/v4.0_4.0.0.0__31bf3856ad364e35/Microsoft.UpdateServices.AdminDataAccessProxy.dll
----------------------------------------
System.Web.Services
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.17929 built by: FX45RTMREL
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Web.Services/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Web.Services.dll
----------------------------------------
Microsoft.GeneratedCode
    Assembly Version: 1.0.0.0
    Win32 Version: 4.0.30319.18033 built by: FX45RTMGDR
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
MsiReader
    Assembly Version: 1.2.1212.8
    Win32 Version: 1.2.1212.08
    CodeBase: file:///C:/Users/administrator.VACANADA/Downloads/Release%20v1.1.1304.12%20(x64)/MsiReader.DLL
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
    <system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.


Coordinator
Apr 26, 2013 at 7:30 AM
Hi jonathonz,

I never test with this settings, but I suspect that it is not the cause of the problem.
If you are publishing the update from the Wsus server itself, check :
 - If you are using a selfsign certificate, it should be present in : 
      * (Local Computer)\Wsus certificate folder.
      * (Local Computer)\Trusted Publisher.
      * (Local Computer)\Trusted Root Certification Authority.
 - If you are using your own signing-code certificate, it should be present in : 
      * (Local Computer)\Wsus certificate folder.
      * (Local Computer)\Trusted Publisher.
      * And the Certificate of the authority who have made this certificate should be in the (Local Computer)\Trusted Roor Certification Authority.
If you are publishing the update from a computer, check :
 - If you are using a selfsign certificate, it should be present in : 
      * (Local Computer)\Trusted Publisher.
      * (Local Computer)\Trusted Root Certification Authority.
 - If you are using your own signing-code certificate, it should be present in :
      * (Local Computer)\Trusted Publisher.
      * And the Certificate of the authority who have made this certificate should be in the (Local Computer)\Trusted Roor Certification Authority.
In both case, the machine should be reboot so that this can take effect.

If you have installed the Microsoft kb2661254 read this : kb2661254
Marked as answer by DCourtel on 10/12/2013 at 8:38 AM
Apr 26, 2013 at 12:26 PM
Edited Apr 26, 2013 at 12:26 PM
You were entirely correct regarding publishing the package. After verifying the certs and rebooting, the package published okay! Now will test whether this "mixed mode" will work.

Thanks!
Coordinator
Apr 26, 2013 at 3:27 PM
Happy to see that you have solved your problem.
Apr 26, 2013 at 3:39 PM
I'm pleased to report complete success in the deployment of Adobe Flash and Adobe Reader.

WSUS Package Publisher is exactly what we need to make our patching solution complete!

Thanks very much for putting the time and effort into putting this software together, making it publicly available, and for taking the time to provide clear documentation.

Very much appreciated!

Merci beaucoup!
Aug 9, 2013 at 7:49 PM
Hi DCourtel and team,

We are back again with another concern. We are getting the same problem posted last April (Thread: Verification of file signature failed for file) when publishing Adobe Flash and Reader.
Our error:
Verification of file signature failed for file: \<servername>\UpdateServicesPackages\42cc6726-c3fe-464b-b8ac-38ec00766262\e4fc1757-9445-456c-884b-1d437a9d6b97_1.cab
We have already followed the instructions you have provided regarding the certificate on the thread but we are still getting the same error. Please take note that following Microsoft kb2661254, our certificate file name is Cert.pfx.

Also, we have replica servers. Do we need to install the WSUS Package Publisher to the replica servers?

Thanks!
Coordinator
Aug 9, 2013 at 8:40 PM
Hi CTV, welcome back ;-)
Please take note that following Microsoft kb2661254, our certificate file name is Cert.pfx.
If you have installed KB2661254, then your certificate Must be 1024 bit length at least. Have you check that ?
All computers with kb2661254 installed on, will not trust files that has been signed with a certificate of less 1024 bit length !

If it is not the case, you have to delete the current used certificate (use mmc => certificate ...) from 'Wsus' store', 'Trusted Publisher' store and 'Root authorities' store.
Then make a new certificate and re-import it in these stores. This is in case of you are using a self-signed certificate (issuing by your Wsus server).

If you have your own certificate authority, make a new code-signing certificate and new root authority certificate. Ensure these both two certificates are 1024 bit length or more.

If you have already publish update with the old certificate, you have to resign them with the new one.
New certificates must be push to clients.

Keep me informed.
Coordinator
Aug 9, 2013 at 8:43 PM
Edited Aug 9, 2013 at 8:44 PM
Also, we have replica servers. Do we need to install the WSUS Package Publisher to the replica servers?
No, it's not necessary. As your second server is a replica, there is very few administrative tasks for manage it. Manage your upstream server and the downstream's server will follow.
If you have something to do on the replica, you can even do it with the WPP installed on the upstream server. Just add the replica server to the list of server and connect to the replica.
Aug 9, 2013 at 8:52 PM
Thanks for your prompt reply!

We are unable to check if the KB is already installed. Our WSUS/WPP is on Windows Server 2012. We already have more than 1024 bit length Certificate (ours is 2048). Anything else we need to check?

Thanks again!
Coordinator
Aug 9, 2013 at 9:21 PM
Does it a self-signed certificate or a "Home-made" certificate ?
In the post of 26 April, you report that you have successfully publish some updates. What have been changes between that date and now ?
Aug 9, 2013 at 9:29 PM
Sorry for the confusion, our username is CTV and we are a different user from jonathonz who orignally posted last April 26th. We thought of using this thread since it's the same issue.

The certificate (it's showing code-signing) we are trying to use was generated from WPP.

Thanks for the info on the replica server. We were able to add it to the list of server.
Coordinator
Aug 9, 2013 at 10:05 PM
Oh ok, I would have preferred you open another post, but never mind :-)
The certificate (it's showing code-signing) we are trying to use was generated from WPP.
In fact, it's your Wsus server that have generate it. It's a self-signed certificate.
So, you are using a Wsus on Server 2012. With a self-sign certificate.
The certificate has been imported in :
  * (Local Computer)\Wsus certificate folder ?
  * (Local Computer)\Trusted Publisher ?
  * (Local Computer)\Trusted Root Certification Authority ?
You have reboot the server after importing the certificate ?
WPP run directly on the Wsus server.
Does the Wsus server set up to store updates locally or clients will download it from MS servers ?
Aug 9, 2013 at 10:42 PM
The certificate has been imported in
(Local Computer)\Wsus certificate folder
(Local Computer)\Trusted Publisher
(Local Computer)\Trusted Root Certification Authority

The server was rebooted after importing and WPP runs directly on the WSUS server.

Does the Wsus server set up to store updates locally or clients will download it from MS servers ?

It stores updates locally.

Thanks!
Coordinator
Aug 9, 2013 at 11:11 PM
Ok, let's try with another certificate.

Open mmc => certificate => local computer.
delete "WSUS Publishers Self-signed" certificate from "Wsus" store, "Trusted Root Authorithies" store and "Trusted Publisher" store. Reboot your server.
Launch WPP and generate a new self-signed certificate. Import it in "Trusted Root Authorithies" store and "Trusted Publisher" store. Reboot your server.

Try to publish a new update.
Oct 3, 2014 at 4:40 PM
Hi DCourtel,

I have followed all the steps you mentioned above and I've managed to publish updates with success.
  * (Local Computer)\Wsus certificate folder.
  * (Local Computer)\Trusted Publisher.
  * And the Certificate of the authority who have made this certificate should be in the (Local Computer)\Trusted Roor Certification Authority.
Due to the fact that in the environment which I am maintaining we have our own certificate server, I created a Code Signing Certificate according with the guide that is provided on WPP application folder.

I would like to ask if it is possible to avoid installing that certificate to all computers in our network cause the Certification Server is a trusted certification authority to all clients.

Thanks in advance.