locked
File cert verification failure regarding only KB4504418 RRS feed

  • Question

  • Hello,

    I'm currently experiencing the following problem:

    A WSUS 3.2.7600.307 running on a Windows 2008 R2 Standard server repeatedly fails to download two specific files. The server itself is fully updated; .NET 3.5.1 is installed; WID is used for the WSUS database.

    The problematic files are two express installation files for KB4504418 (Servicing Stack Update for Windows 8.1, Server 2012, und Server 2012 R2), as reported by the corrsponding events:

    Inhaltdateisynchronisierung ist fehlgeschlagen. Ursache: File cert verification failure. Quelldatei: /c/msdownload/update/software/secu/2019/07/windows8-rt-kb4504418-x86_cbfca28e203
    c05cf0d8bf6e8c56d81c9bd170789.psf Zieldatei: c:\WSUS\WsusContent\89\CBFCA28E203C05CF0D8BF6E8C56D81C9BD170789.psf.

    Inhaltdateisynchronisierung ist fehlgeschlagen. Ursache: File cert verification failure. Quelldatei: /c/msdownload/update/software/secu/2019/07/windows8-rt-kb4504418-x64_7fc2ec35606
    f12f6065408850962706ebd9c9816.psf Zieldatei: c:\WSUS\WsusContent\16\7FC2EC35606F12F6065408850962706EBD9C9816.psf.

    A closer analysis of e.g. the x86 file results in the following observations:

    • Manually downloading the file windows8-rt-kb4504418-x86_cbfca28e203c05cf0d8bf6e8c56d81c9bd170789.psf works in general.
    • The SHA1 hash value of this file matches the file name as well as the FileDigest entry found in tbFile.
    • The SHA256 hash value of the file should be 0x52A3560EB5DB626E0CF52894CBB41D09B360C0310FF9692DE867FB2F2F3C7DFA according to tbFileHash. SoftwareDistribution.log reports the following:

    [...]
    2019-07-11 04:34:31.281 UTC      Info      WsusService.12      ContentSyncAgent.WakeUpWorkerThreadProc      Processing Item: 316170c4-97ec-4dbc-9364-17b6832294f3, State: 10
    2019-07-11 04:34:31.921 UTC      Info      WsusService.12      ContentSyncAgent.VerifyCRC      calculated sha2 sha256 hash is 52A3560EB5DB626E0CF52894CBB41D09B360C0310FF9692DE867FB2F2F3C7DFA
    2019-07-11 04:34:31.936 UTC      Info      WsusService.12      CabUtilities.CheckCertificateSignature      File cert verification failed for c:\WSUS\WsusContent\89\CBFCA28E203C05CF0D8BF6E8C56D81C9BD170789.psf with 2148098064
    2019-07-11 04:34:31.983 UTC      Warning      WsusService.12      ContentSyncAgent.WakeUpWorkerThreadProc      Invalid file deleted: c:\WSUS\WsusContent\89\CBFCA28E203C05CF0D8BF6E8C56D81C9BD170789.psf
    [...]

    Judging from the SHA256 hash value, the server seems to be able to download the file fine. This -- as well as the fact that other files are processed without a hitch, including e.g. the CAB files of KB4504418, which are only signed using SHA256 -- leads me to the assumption that this is not a case of a SHA2/SHA256 misconfiguration.

    Is there any way to check the digital signatures of PSF files by hand? Common tools like Windows Explorer or SigCheck don't seem to recognize signatures in PSF files.

    Addendum: The problem is reproducible using a fresh server setup where only four updates have been approved.

    Regards,

    Deniz

    Saturday, July 13, 2019 3:38 PM

All replies

  • Hi Deniz,
      

    I noticed that your WSUS is running on Windows Server 2008 R2, so you need to check if this server has the SHA-2 Support update KB4484071 installed. Because Without applying this SHA-2 update, beginning July 2019, WSUS 3.0 SP2 (also called WSUS 3.2) will not be able to perform the necessary WSUS update tasks.
      

    Reply back with the results would be happy to help.
      

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 15, 2019 2:49 AM
  • Hi Yic,

    thanks for your answer. Yes, WSUS has KB4484071 installed, and the prerequisites (like .NET 3.5.1) were installed beforehand.

    As I tried to explain in my original post, the server processes various files that are only signed by SHA-2 just fine. It's just these two files that get rejected.

    Example: Windows8-RT-KB4504418-x86.cab (locally saved as 1EF71C179701573547E3FF92FD300DAA9516DEEF.cab) has been downloaded successfully. Its digital signature is only based on SHA-2.

    Regards,

    Deniz



    • Edited by Deniz Özmen Monday, July 15, 2019 4:26 AM clarification, grammar
    Monday, July 15, 2019 3:46 AM
  • Hello Deniz,

    same problem here. I have a SBS 2011 with all updates applied. However two updates for Windows 10 1803(KB4509094 and KB4507435) failing to download. Updates for Server 2008 R2, Office 2016, SQL Server 2014 and definition updates working flawless.

    I am getting the errror 2148098064 on psf files, too.

    Best regards,

    Franz

    Monday, July 15, 2019 6:54 AM
  • Hi Deniz,
      

    As far as I know, SHA-256 is a variant of SHA-2, it is essentially a single algorithm in which a few minor parameters are different among the variants. And I got the KB4504418 versions of the files through the Microsoft Update Catalog, they also issued digital certificates via SHA-256. (But I didn't find the version you mentioned Windows8-RT-KB4504418-x86.cab)
      

    Provide one of my thoughts: I think the problem may be in the .psf file. I checked my experimental environment, IIS's MIME Types did not have support for .psf files. Some articles mention the PSF file contains byte ranges for payload, so I suggest you try adding .psf support in MIME Types, type "application/octet-stream".
      

    Reply back with the results would be happy to help.
      

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 15, 2019 8:30 AM
  • Hi Yic, hi Franz,

    glad to hear I'm not alone. ;-)

    I tried adding the .psf extension as "application/octet-stream" to the list of MIME types, but unfortunately there was no change in WSUS behaviour.

    I did notice something else, though: Contrary to my original assumption, Windows Explorer does support showing the digital signature of PSF files via the usual property sheet, but this seems to work only on the Server machine, not on a Windows 7 client. (Maybe the requirement for this is having WSUS installed?)

    Anyway, I made the following observations regarding the validity of digital signatures of files downloaded by WSUS:

    - CAB files that are double-signed using SHA1 and SHA256: Both signatures are shown as valid.

    - CAB files that are single-signed using SHA256: The signature is shown as valid.

    - EXE files that are double-signed using SHA1 and SHA256: Both signatures are shown as valid.

    - EXE files that are singled-signed using SHA256: The signature is shown as valid.

    - PSF files that are double-signed using SHA1 and SHA256: The SHA1 signature is shown as valid, while the SHA256 signature is shown as invalid(!).

    - PSF files that are single-signed using SHA256: Couldn't find any.

    Note that double-signed PSF files are still accepted by WSUS, presumably because the SHA1-based signature is valid. (Maybe it is checked first?) So, it would seem like SHA256-based digital signatures are never accepted by the server, but only in respect to PSF files.

    I noticed that KB4474419 had been re-released for Windows Server 2008 (non-R2) due to an issue with SHA-2 support for MSI files. Is it possible that a similar issue exists regarding SHA-2 support for PSF files on Server 2008 R2?

    Monday, July 15, 2019 6:55 PM
  • Hi Deniz,
      

    Thank you for sharing, which is very helpful in understanding what we are currently experiencing.
      

    But I'm sorry, the articles I'm currently viewing don't have a good explanation for this, I will continue to pay attention to whether this is a problem in itself, as you said.
    You can wait for answers from other experts, or you can contact Microsoft support directly for more help. 
      

    Thanks again for sharing, and I look forward to your continued progress.
      

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 16, 2019 2:13 AM
  • Hi Yic,

    thank you. Unfortunately, I'm a home user and don't have a business support plan. Maybe someone else who experiences this problem can contact support and report back here?

    Regards,

    Deniz

    Tuesday, July 16, 2019 4:15 AM
  • Hi all,

    I guess I might have found the culprit: The file responsible for verifying the signature of PSF files seems to be C:\Windows\System32\Psfsip.dll ("Crypto SIP provider for signing and verifying .psf patch storage files").

    The file installed on this server is versioned 7.4.7600.226 and has a last modification date of 2009-08-06.

    I tried replacing the file with a different version (6.2.9200.16384, belonging to Server 2012) just to see what would happen.

    Immediately afterwards, the Explorer property sheet showed SHA256 signatures of PSF files as valid. Retriggering the failed downloads in the WSUS console lead to the files being downloaded again and this time around being accepted by WSUS.

    Obviously, this is not a permanent solution. I have no idea which possible adverse effects swapping this DLL might have.

    A quick glance at the installer for KB4484071 showed no indication of an updated Psfsip.dll. I'm not sure whether it is simply missing from the WSUS installer packages, or if it is supposed to be installed, but for some reason is not placed on the system.

    I'd still appreciate if someone contacted Microsoft support over this.

    Regards,

    Deniz

    Tuesday, July 16, 2019 8:03 PM
  • The recent re-release of KB4484071 (containing WSUS 3.2.7600.324) has fixed the problem. As expected, a new Psfsip.dll was installed on the server.
    Tuesday, September 10, 2019 6:45 PM