Justin - You're right, I've applied the "Allow signed updates" and published the cert to Trusted Publishers using group policy. That might explain why the updates are failing during the TS, although it leaves me wondering why they started failing only recently. Hmm... I wonder if the updates had been failing before, and weren't actually causing the TS to fail. If that's the case, then I must have done something else to correct the failing TS yesterday without realizing it.
I've got a thought or two on that I'll have to check into. Meanwhile, I still need to figure out why I can't re-publish these updates from SCUP. Thanks, Steve On Tue, Dec 23, 2014 at 9:32 AM, Justin Chalfant < justin.chalf...@microsoft.com> wrote: > It’s because the cert isn’t in the trusted publishers and the allow > signed updates isn’t enabled. > > > > You are likely enabling these VIA GPO and GPO’s don’t apply until after > the task sequence. > > > > Thanks, > > > > *Justin Chalfant* > > Premier Field Engineer – Configuration Manager > > Public Sector > > Microsoft Services > > > > Tel : (303) 846-2701 > > Email: justin.chalf...@microsoft.com > > > > If you have any feedback about my work, please let either myself or my > manager Rusty Gray know at rusty.g...@microsoft.com > > > > *From:* listsad...@lists.myitforum.com [mailto: > listsad...@lists.myitforum.com] *On Behalf Of *Steve Whitcher > *Sent:* Tuesday, December 23, 2014 7:47 AM > *To:* mssms@lists.myitforum.com > *Subject:* [mssms] SCUP Certificate expired - How to republish old > updates? > > > > A couple of weeks ago, our OSD TS started failing. In the logs, I found a > few updates were failing to install. All of the problem updates were for > 3rd party software, published through SCUP. When I tried republishing > updates from SCUP, I found that the signing certificate had expired. (I > wouldn't expect that to have caused already published updates to fail to be > deployed, especially since I do have the time-stamp option enabled in SCUP, > but I can't find any other reason that these particular updates would be > failing to deploy.) > > > > I removed the affected updates from update groups so that they wouldn't be > deployed anymore, and now the TS is completing successfully. I've > requested a new cert from our CA and installed it in SCUP. I added the new > cert to trusted publishers via group policy. I added a handful of new > updates to an publication in SCUP and tried to re-publish it. The publish > fails early on, with a failure to verify the signature on a package. > Looking at the logs, it appears that the package in question is an update > that was published previously. Since the package is the same and only > metadata has changed, SCUP doesn't push the package again, but tries to > update the metadata only. I am guessing that the signature verification > fails because the package was signed with the old certificate, which was > valid at the time, but has since expired. > > > > Does that make sense? > > > > At this point, I removed all old updates from the publication in SCUP and > published it successfully with only the new updates. I believe I need to > somehow get the old updates re-published though, so that they will have the > updated metadata and the correct signature on the package, and can be added > back into update groups for deployment. How can I get these previously > published updates to republish to SCCM? > > > > Thanks, > Steve Whitcher > > > >
