JSS 9.31: Checksums required for all PKGs by default on 9.31

donmontalvo
Esteemed Contributor III

After our 8.73 > 9.31 migration, we had a bit of a struggle getting policies to work. Our JAMF buddy found the problem. JSS 9.31 has "Verify Packages" on by default. So packages without checksums will fail given the default "Always" setting. Set to "When available" if you want packages with checksums to be validated, else if no checksum it'll skip verification. Alerted JAMF, they're looking into changing the default to "Never" so checksums are ignored by default.

HTH,
Don

--
https://donmontalvo.com
3 ACCEPTED SOLUTIONS

were_wulff
Valued Contributor II

Hello again @donmontalvo ! :)

Just for reference, that behavior is filed under D-006775 (for those of you that like to track them).

It's currently open with a disposition of Planned for Release, so we'll hopefully be seeing a fix for it soon.

In the mean time, as you've mentioned, we can either set it to "When available" or "Never" through Computer Management >> Security.

Amanda Wulff
JAMF Software Support

View solution in original post

were_wulff
Valued Contributor II

@bentoms][/url

We should be able to get it to calculate the checksum by right clicking on the package in Admin and selecting "Calculate Selected Package Checksum(s)". There should be an option in the context menu to create one if no checksum is present as well.

Normally, Admin displays the checksum if one is present, however. It may not pull the correct one on an unmigrated database due to D-006777, but you'll notice that right away as it will put the local path of the file as the "checksum".

Amanda Wulff
JAMF Software Support

View solution in original post

were_wulff
Valued Contributor II

@bentoms

You should be able to select multiple packages, right click (or use the File menu), and have the option to generate a checksum.

As far as I'm seeing, that's the only way to do it currently as the isn't an option to just search the share and generate a checksum for packages that don't have one. It may be possible to do a Command A to select all and see if it's an option, though.

If you're looking for an option more along the lines of 'scan the share, find packages that don't have a checksum, and generate one for them' I'd recommend a feature request.

Amanda Wulff
JAMF Software Support

View solution in original post

14 REPLIES 14

were_wulff
Valued Contributor II

Hello again @donmontalvo ! :)

Just for reference, that behavior is filed under D-006775 (for those of you that like to track them).

It's currently open with a disposition of Planned for Release, so we'll hopefully be seeing a fix for it soon.

In the mean time, as you've mentioned, we can either set it to "When available" or "Never" through Computer Management >> Security.

Amanda Wulff
JAMF Software Support

bentoms
Release Candidate Programs Tester

Is there a way to populate the checksums?

I guess if not I'll file a FR.

were_wulff
Valued Contributor II

@bentoms][/url

We should be able to get it to calculate the checksum by right clicking on the package in Admin and selecting "Calculate Selected Package Checksum(s)". There should be an option in the context menu to create one if no checksum is present as well.

Normally, Admin displays the checksum if one is present, however. It may not pull the correct one on an unmigrated database due to D-006777, but you'll notice that right away as it will put the local path of the file as the "checksum".

Amanda Wulff
JAMF Software Support

bentoms
Release Candidate Programs Tester

Thanks @amanda.wulff, but that's one by one.. Anyway to have it run across the whole share?

were_wulff
Valued Contributor II

@bentoms

You should be able to select multiple packages, right click (or use the File menu), and have the option to generate a checksum.

As far as I'm seeing, that's the only way to do it currently as the isn't an option to just search the share and generate a checksum for packages that don't have one. It may be possible to do a Command A to select all and see if it's an option, though.

If you're looking for an option more along the lines of 'scan the share, find packages that don't have a checksum, and generate one for them' I'd recommend a feature request.

Amanda Wulff
JAMF Software Support

donmontalvo
Esteemed Contributor III

@amanda.wulff Yep we did a COMMAND-A and created checksums for all the PKGs in our DP, worked like a charm. :)

--
https://donmontalvo.com

jrippy
Contributor II

@amanda.wulff and what do you do if you don't have the option to generate checksums? Running 9.31 and logged into Casper Admin as a user with full admin privs.

were_wulff
Valued Contributor II

@jrippy

If you're not seeing the Calculate Package Checksum option either in the file menu or when right clicking on a pkg or dmg file, and we've verified that:

- We're on the matching version of Admin.
- Not logged in as a Site Administrator (and the last user logged into the JSS wasn't a site administrator).
- Certain about the privileges.

I would recommend getting in touch with your Technical Account Manager; even if the option to Calculate Package Checksum is grayed out due to lack of permissions, it should always show up in the File menu or when right clicking on a pkg or dmg. If it's not showing up at all, something else is going on and we'd need to look at it a bit closer.

Thanks!

Amanda Wulff
JAMF Software Support

jrippy
Contributor II

@amanda.wulff

1) Yep, on the same version as the server, 9.31 for JSS and 9.31 for Casper Admin.
2) The account I am using is a Full Access Administrator. I verified all permissions are checked for everything.
3) See #2

So I guess I'll be contacting my support person. Thanks!

were_wulff
Valued Contributor II

@jrippy

I do know if you right click on, say, a script, or a printer, or something that isn't a .dmg or a .pkg it won't show the option in the context menu, but that's expected behavior and it should still appear grayed out in the File menu regardless.

Very odd that the option isn't there at all! If you can grab some screenshots of the right click menu and the opened file menu in Admin to send along with the case I'm sure that'd be helpful for them to start out with.
A zipped up JAMFSoftwareServer.log wouldn't hurt either, just in case something is kicking back errors in there.
It may also be helpful to include a link to this thread for them as well, so they can see what we've checked on already.

Amanda Wulff
JAMF Software Support

jrippy
Contributor II

@amanda.wulff
Already done. Thanks!

jrippy
Contributor II

@amanda.wulff
What about .pkg.zip files? Should they have checksums? That is the filetype for me that is not showing a checksum?

tls2t
New Contributor II

I just stumbled across this post today, and I'm seeing the same issue with some of my packages. In fact, the packages that have as a checksum:

md5:,/Volumes/<blah,blah>

I'm not given the opportunity to generate a checksum when right-clicking the files. I'm in the same boat: same version of Casper Imaging (9.32), admin with full privileges, and so on.

were_wulff
Valued Contributor II

@barret55

That would be D-006777. When a distribution point hasn't been migrated yet, we see this happen even if Package Validation is set to Never.
Those packages likely will not install either when pushed out by the JSS and you'll see a "could not verify package" error in the policy log.

The only way, currently, to get around D-006777 is to hit the Migrate button in Casper Admin.

I do have a slightly longer write up on that one over in this thread: https://jamfnation.jamfsoftware.com/discussion.html?id=10800

Amanda Wulff
JAMF Software Support