Help

Apple Software Update server Certificate expiration

mrowell
Contributor

Posted on ‎03-21-2012 10:40 PM

"Mac OS X Server administrators who are managing their own Software Update servers should remove all updates signed with the expired certificates and redownload the updates from Apple"

http://support.apple.com/kb/HT5198

If you have seen your ASUS downloading old updates recently, here is the explanation why.

0 Kudos
11 REPLIES 11

wangl2
Contributor

Posted on ‎03-21-2012 11:03 PM

Hi, I am using Casper Suite and my only Mac server is a Netboot and Software update server. But I don't see any Software Update Service is configured in my ServerAdmin. When I want to install updates using Casper Policy, it does work. I am not sure in this case, should I worry about it. I cannot see where all the updates are downloaded/saved on the server.

0 Kudos

mrowell
Contributor

Posted on ‎03-21-2012 11:54 PM

wangl2,
If you are running a local Software Update server, then Software Update (and in your situation, NetBoot) should be visible in Server Admin. (There is a small disclosure triangle next to the server name - that should be pointing downwards).

0 Kudos

wangl2
Contributor

Posted on ‎03-22-2012 03:50 AM

Hi mrowell,
I have nothing in the Server Admin. It looks like there is no ASUS defined from the OS X Server itself. But my SUS does work when I push them out using Casper.
Is that some sort of different setup?

0 Kudos

tanderson
Contributor

Posted on ‎03-22-2012 05:59 AM

Thanks for posting this.

0 Kudos

stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎03-22-2012 06:08 AM

So what does this mean for Reposado and the JAMF NetSUS appliance? Are we going to need to delete the updates and re-download?

In my feeble brain, the answer to that is yes. But there are much smarter people on this list than I.

Greg, can you speak to the Reposado question?

Steve

0 Kudos

rockpapergoat
Contributor III

Posted on ‎03-22-2012 08:23 AM

the cert expiration affects all apple updates, so any other mechanism (like reposado) for downloading them is affected. purge and re-download is the fix.

0 Kudos

rmanly
Contributor III

Posted on ‎03-22-2012 08:27 AM

Are the freshly signed updates posted already or do we need to wait until tomorrow? I am not 100% clear on that from the kbase article.

0 Kudos

rockpapergoat
Contributor III

Posted on ‎03-22-2012 08:34 AM

agreed: it's not clear from the article, but i think whatever's there now should be fine.

0 Kudos

rockpapergoat
Contributor III

Posted on ‎03-22-2012 08:48 AM

i'm not sure if there's a way to verify the actual updates, either. verify the sha1 hashes posted on apple's download pages, of course, but determining if they've changed would require having record of the old hashes.

for installed apps, you can at least see that apple apps are signed by their CA with something like: codesign -d -vv /Applications/Safari.app/

that doesn't help for flat pkg updates, though. i haven't tried expanding the payload to check signing on the individual components and probably won't… gots stuff ta' do.

0 Kudos

rob_potvin
Contributor III
Contributor III

Posted on ‎03-23-2012 01:34 AM

Don't forget that you have to update all the updates that you have floating around in your JSS

0 Kudos

donmontalvo
Esteemed Contributor III

Posted on ‎03-25-2012 04:33 PM

@rpotvin Yep, and some of them were renamed to conform with our naming convention. We're going to run uber-guru Greg Neagle's script on our JSS to be safe. Then we'll need to circle back to hit the PKG installers that tech have on their USB drives, server shares, etc...

I really (REALLY) wish Apple had some management oversight, seems their processes are breaking down with Steve Jobs' passing. They really need an enterprise Big Cheeze. :(

Don

--
https://donmontalvo.com
0 Kudos