locked
Failed to sign package; error was: 2147942402 RRS feed

  • Question

  • I'm getting this error repeatedly on multiple msi and exe software package creation attempts.  The certs appear to be in place.  I had created an Office 2007 customized software package prior to this with no problems.  The only other post in this forum did not have a resolution other than re-install.  Any assistance would be appreciated. 

    Output of error is:
    System.InvalidOperationException: Failed to sign package; error was: 2147942402
       at Microsoft.UpdateServices.Internal.BaseApi.Publisher.SignPackageCab()
       at Microsoft.UpdateServices.Internal.BaseApi.Publisher.PublishPackage(String sourcePath, String additionalSourcePath, String packageDirectoryName)
       at Microsoft.UpdateServices.Internal.BaseApi.Publisher.PublishPackage(String sourcePath, String packageDirectoryName)
       at Microsoft.EnterpriseManagement.SCE.Internal.UI.NewUpdatePackageWizard.PreparingPackagePage.PreparePackageBackgroundWorkerDoWork(Object sender, DoWorkEventArgs e)

    **Edit**
    This happens with Microsoft applications as well.  No actions were taken with certificates between the successful creation of the Office 2007 customized package and now. 

    **Edit**
    Information from the following thread has not contributed to the resolution:
    http://social.technet.microsoft.com/Forums/en-US/systemcenterdevelopment/thread/67aec156-71c6-41f5-8d19-7a8582338ea5 

    • Edited by voysovrezun Wednesday, May 20, 2009 4:08 PM More Information
    Tuesday, May 19, 2009 8:53 PM

Answers


  • This is what MS had me do to correct it (maybe it will save someone a support incident):
    1.       Took a backup of certificates.
    Under C:\Program files\system center essentials 2007\certificates
    WSUSCodeSigningCert.cer
    WSUSSSLCert.cer 
    2.       Took a backup from certificate store. 
    Click Start, click Run, type MMC in the text box, and then click OK to open the Microsoft Management Console (MMC). On the Managment Server Click File, click Add/Remove Snap-in, click Add, click Certificates, click Add, select Computer account, and then click Next.  Click Close, and then click OK. Expand Certificates expand WSUS, and then click Certificates.  Right click on WSUSPublishers Self-signed, then export choose all default options And save it.
    3.       We created a certificate now.
    In a command prompt, go to C:\Programs files\System Center Essentials 2007\
    Enter 'SCECertPolicyConfigUtil.exe /PolicyType Domain /ManagementGroup TestServer_MG /Sceserver TestServer
    Where TestServer_MG is the name of your management group and TestServer is your server name. If FQDN was present in the cert for your WSUS IIS instance, make sure you put the full FQDN or you will have other certificate troubles. 
    That will re-create certificates.
    4.       That creates the certificates automatically on C:\Program file\system center essentials 2007\certificates WSUSCodeSigningCert.cer
    WSUSSSLCert.cer
    Double click on WSUSCodeSigningCert.cer, then Details, scroll filed name Thumbprint 40 hexa decimal numbers.
    5.       Verify Thumbprint keys are correct.
    Click Start, click Run then regedit Got to below path
    HKLM\software\microsoft\system center essentials\1.0\policysettings
    Double click on \WSSUCodeSigningCertHash.
    Then compare Registry key with correct thumbprint value in below registry path.Make sure they are correct.
    6.       Now we need to install Certificate to certificate folders in local computer.
    Click Start, click Run, type MMC in the text box, and then click OK to open the
    Microsoft Management Console (MMC). on the Management Server
    Click File, click Add/Remove Snap-in, click Add, click Certificates, click Add, select Computer account, and then click next. Click Close, and then click OK.
    Expand Certificates expand WSUS, and then right click Certificates. And select All tests select Import.
    Select browse C:\Programs Files\System Center Essentials 2007\Certificates\
    Select WSUSCodeSigningCert.cer file. And select default setting that imports the certificate to WSUS folder.
    Repeat the same steps Trusted Publishers and Trusted Root Certificate Authorities.
    Once we have Completed the Certificate Import Wizards, close the console and reopen System Center Essentials 2007 Console.
    I was able to create software packages.
    Caveats:
    1. The SCE Managed computers group membership will be wiped out and need to be repopulated.
    2. Double-check the GPO settings associated with SCE as many will be reverted back to their default values (i.e., install patches at 3am every day).
    3. The certificates will need to be replaced on every client.  I wrote a vbscript to accomplish this. 
    4. Make sure your ability to remote console to the SCE server is still intact as this could be impacted.  Listing the SCEserver correctly in the command line

    • Marked as answer by voysovrezun Tuesday, March 30, 2010 6:18 PM
    Friday, March 12, 2010 7:22 PM

All replies

  • Hi,

    Check if wsuscodesigning.cer in MMC is identical with certificate in %programfiles%\system center essentials\certificates folder. You can delete lagacy certificate in MMC and then import the certificate in certificate folder.

    HTH.


    Jie-Feng Ren - MSFT
    Thursday, May 21, 2009 4:14 AM
  • I made sure the thumbprint for the WSUSCodeSigningCert.cer in %ProgramFiles\System Center Essentials 2007\Certificates matches what is in Trusted Root CA, Trusted Publishers Certificates, and Third-Party Root CA.  There was a duplicate cert in each of the CAs.  I exported the ones with a thumbprint that didn't match what was in the program directory.  I also verified the thumbprint listed in the Registry at HKLM\Software\Microsoft\System Center Essentials\1.0\PolicySettings with the one located in the program directory.  I restarted the server and tried to create a software package and it failed with the same error. 

    **Edit**
    I reimported the certificate to the above mentioned certificate stores and the same error occurs at the point where the package is digitally signed. \
     
    • Edited by voysovrezun Friday, May 22, 2009 10:29 PM More Information
    Friday, May 22, 2009 10:16 PM
  • Hi,

    If this is the case, it seems you need to re-install SCE to re-create new certificates.

    HTH.
    Jie-Feng Ren - MSFT
    Monday, May 25, 2009 7:29 AM
  • The Configure product features wizard re-creates the certificates in the mmc (Trusted Root CA, Trusted Publishers Certificates, and Third-Party Root CA).  It creates two of them in each CA (WSUSCodeSigningCert) in the MMC.  Only one matches the thumbprint in the registry at HKLM\Software\Microsoft\System Center Essentials\1.0\PolicySettings.  Removing one or the other doesn't resolve.  Editing the thumbprint to match the other one it created is not successful.  A full re-install?  Is that the only solution?  Since I don't know the cause and no changes were performed with the certificates, how could I possibly prevent it from happening again?  What's to say the same thing won't happen? 
    Tuesday, May 26, 2009 4:18 PM
  • Hi,

    I recommend to full re-install as a best practice and back up the new created certificate to avoid same problem from happening again.

    HTH.
    Jie-Feng Ren - MSFT
    Wednesday, May 27, 2009 8:31 AM
  • That's the thing.  I backed up both certificates from the MMC prior to attempting any resolution. Re-instating them made no difference.  It doesn't seem to be associating with that certificate correctly(?)  I see this as happening again in the future.  When there are 350 clients installed, a re-install will not go over well as a solution.  The Operation Manager and WSUS portion are functioning normally.  The product was over $6,000 for our organization and the only thing we can do is re-install should one piece fail.  Would opening a support incident be worth the trouble? 
    Wednesday, May 27, 2009 3:23 PM

  • This is what MS had me do to correct it (maybe it will save someone a support incident):
    1.       Took a backup of certificates.
    Under C:\Program files\system center essentials 2007\certificates
    WSUSCodeSigningCert.cer
    WSUSSSLCert.cer 
    2.       Took a backup from certificate store. 
    Click Start, click Run, type MMC in the text box, and then click OK to open the Microsoft Management Console (MMC). On the Managment Server Click File, click Add/Remove Snap-in, click Add, click Certificates, click Add, select Computer account, and then click Next.  Click Close, and then click OK. Expand Certificates expand WSUS, and then click Certificates.  Right click on WSUSPublishers Self-signed, then export choose all default options And save it.
    3.       We created a certificate now.
    In a command prompt, go to C:\Programs files\System Center Essentials 2007\
    Enter 'SCECertPolicyConfigUtil.exe /PolicyType Domain /ManagementGroup TestServer_MG /Sceserver TestServer
    Where TestServer_MG is the name of your management group and TestServer is your server name. If FQDN was present in the cert for your WSUS IIS instance, make sure you put the full FQDN or you will have other certificate troubles. 
    That will re-create certificates.
    4.       That creates the certificates automatically on C:\Program file\system center essentials 2007\certificates WSUSCodeSigningCert.cer
    WSUSSSLCert.cer
    Double click on WSUSCodeSigningCert.cer, then Details, scroll filed name Thumbprint 40 hexa decimal numbers.
    5.       Verify Thumbprint keys are correct.
    Click Start, click Run then regedit Got to below path
    HKLM\software\microsoft\system center essentials\1.0\policysettings
    Double click on \WSSUCodeSigningCertHash.
    Then compare Registry key with correct thumbprint value in below registry path.Make sure they are correct.
    6.       Now we need to install Certificate to certificate folders in local computer.
    Click Start, click Run, type MMC in the text box, and then click OK to open the
    Microsoft Management Console (MMC). on the Management Server
    Click File, click Add/Remove Snap-in, click Add, click Certificates, click Add, select Computer account, and then click next. Click Close, and then click OK.
    Expand Certificates expand WSUS, and then right click Certificates. And select All tests select Import.
    Select browse C:\Programs Files\System Center Essentials 2007\Certificates\
    Select WSUSCodeSigningCert.cer file. And select default setting that imports the certificate to WSUS folder.
    Repeat the same steps Trusted Publishers and Trusted Root Certificate Authorities.
    Once we have Completed the Certificate Import Wizards, close the console and reopen System Center Essentials 2007 Console.
    I was able to create software packages.
    Caveats:
    1. The SCE Managed computers group membership will be wiped out and need to be repopulated.
    2. Double-check the GPO settings associated with SCE as many will be reverted back to their default values (i.e., install patches at 3am every day).
    3. The certificates will need to be replaced on every client.  I wrote a vbscript to accomplish this. 
    4. Make sure your ability to remote console to the SCE server is still intact as this could be impacted.  Listing the SCEserver correctly in the command line

    • Marked as answer by voysovrezun Tuesday, March 30, 2010 6:18 PM
    Friday, March 12, 2010 7:22 PM