HTTP Distribution Error: Could not verify the downloaded package

aurica
New Contributor III

Since upgrading to 9.x, I haven't been able to distribute disk images via HTTP.

In this example, HTTP was enabled for my master distribution point. Verbose output from a manually triggered policy showed that post-download verification was failing:

HOSTNAME:~ username$ sudo jamf policy -verbose -trigger exampletrigger
Password:
 verbose: Checking for an existing instance of this application...
Checking for policies triggered by "exampletrigger"...
 verbose: Checking for active connection on interface "Ethernet"...
 verbose: Found active connection on "Ethernet"...
 verbose: Checking for active connection on interface "USB Ethernet"...
 verbose: No active connection on "USB Ethernet"...
 verbose: The Management Framework Settings are up to date.
 verbose: Found 1 matching policies.
 verbose: Removing any cached policies for this trigger.
 verbose: Parsing servers...
 verbose: Parsing Policy Example Policy -trigger exampletrigger (193)...
 verbose: Parsing Policy Example Policy -trigger exampletrigger (193)...
Executing Policy FICO Root Certificate -trigger exampletrigger...
    Caching package ExampleDiskImage.dmg... 
Downloading http://jss925.company.com/CasperShare/Packages/ExampleDiskImage.dmg...
**Verifying DMG...
Error: Could not verify the downloaded package.
Error: Could not verify the downloaded package. 1
**Creating directory structure for /Library/Application Support/JAMF/Downloads/
Downloading http://jss925.company.com/CasperShare/Scripts/exampleScript.sh...
 verbose: Copying script to temp directory...
 verbose: Determining script type...
Running script exampleScript.sh...
Mounting the DMG ExampleDiskImage.dmg...
hdiutil: mount failed - No such file or directory
 verbose: Removing local copy...
Submitting log to https://jss925.company.com:8443/

Note that the script didn't go through the same verification; it downloads and executes successfully. And the URLs are valid. The files downloaded through a web browser, which indicated that the share was configured correctly. If I disabled HTTP and reverted to SMB, the policy would execute without a problem:

HOSTNAME:~ username$ sudo jamf policy -verbose -trigger exampletrigger
Password:
 verbose: Checking for an existing instance of this application...
Checking for policies triggered by "exampletrigger"...
 verbose: Checking for active connection on interface "Ethernet"...
 verbose: Found active connection on "Ethernet"...
 verbose: Checking for active connection on interface "USB Ethernet"...
 verbose: No active connection on "USB Ethernet"...
 verbose: The Management Framework Settings are up to date.
 verbose: Found 1 matching policies.
 verbose: Removing any cached policies for this trigger.
 verbose: Parsing servers...
 verbose: Parsing Policy Example Policy -trigger exampletrigger (193)…
 verbose: Parsing Policy Example Policy -trigger exampletrigger (193)...
Executing Policy Example Policy -trigger exampletrigger...
    Mounting jss925 (jss925.company.com) to /Volumes/CasperShare...
 verbose: Result of mount attempt: 
    Caching package ExampleDiskImage.dmg... 
 verbose: Copying script to temp directory...
 verbose: Determining script type...
Running script exampleScript.sh...
Script exit code: 0
Mounting the DMG ExampleDiskImage.dmg...
DMG mounted successfully as volume /Volumes/ExampleDiskImage on device /dev/disk1.
Unmounting disk /dev/disk1...
"disk1" unmounted.
"disk1" ejected.
 verbose: Removing local copy...
Submitting log to https://jss925.company.com:8443/
Unmounting file server...

Using dtrace to investigate, it looked like the HTTP download verification was getting handled behind the scenes by hdiutil, so I decided to try reproducing that verification with the ExampleDiskImage.dmg that I downloaded through Safari… And sure enough, verification failed because ExampleDiskImage.dmg had no checksum.

HOSTNAME:~ username$ hdiutil verify ~/Downloads/ExampleDiskImage.dmg
hdiutil: verify: "~/Downloads/ExampleDiskImage.dmg" has no checksum.

What was different about ExampleDiskImage.dmg? It was read/write. Supplied by a vendor and uploaded without being repackaged. I created a .dmg with Composer and ran it through hdiutil for the purpose of comparison, and it checksummed beautifully:

HOSTNAME:~ username$ hdiutil verify ~/Desktop/ComposerDiskImage.dmg 
Checksumming Driver Descriptor Map (DDM : 0)…
     Driver Descriptor Map (DDM : 0): verified   CRC32 $891C5427
Checksumming Apple (Apple_partition_map : 1)…
.
     Apple (Apple_partition_map : 1): verified   CRC32 $0733F2A8
Checksumming disk image (Apple_HFS : 2)…
............................................................................................................................................................................................................................
          disk image (Apple_HFS : 2): verified   CRC32 $61A64D66
Checksumming  (Apple_Free : 3)…
.............................................................................................................................................................................................................................
                    (Apple_Free : 3): verified   CRC32 $00000000
.............................................................................................................................................................................................................................
verified   CRC32 $8F5BF213
hdiutil: verify: checksum of "~/Desktop/ComposerDiskImage.dmg" is VALID

So, if some of your policies have been failing miserably over HTTP, this may be the reason why. I hope it helps!

2 REPLIES 2

aurica
New Contributor III

To identify disk images that would fail the HTTP checksum:

#!/bin/bash
# Find_ReadWrite_Disk_Images.sh
# Created by Aurica Hayes 2014

# Variables and Functions #
# TargetDir=""
IFS=$'
'

# Main Process #
if [[ -z "$TargetDir" ]];
then
TargetDir=`osascript -e 'tell application "System Events"' -e 'activate' -e 'set TargetDir to choose folder with prompt "Select the CasperShare Packages directory."' -e 'tell application "Finder" to return the POSIX path of TargetDir as text' -e 'end tell'`
fi

cd $TargetDir
DMGS="`find . -maxdepth 1 -type f -iname '*.dmg' ! -name '._*'`"
for DMG in ${DMGS}
do
Checksum=$(hdiutil imageinfo "$DMG" -checksum 2>&1)
if [[ $Checksum == *"has no checksum"* ]];
then
echo "$DMG" | sed 's/.///g'
fi
done
exit 0

pbenham
Contributor

Thank you very much for posting this. I was pulling my hair out! We're starting to transition from 8.x to 9.x and I had copied some DMG's from the old server to the new one and they were failing to install over HTTP. Your script helped me identify the 'bad' ones and then I just used Disk Utility to re-compress them and pop them back up to the new server, overwriting the bad copies. Now I can go home happy.
Thanks again,

Paul