Office for Mac 2011 SP1 - Unable to deploy

jevans76
New Contributor

I'm trying to roll out Office for Mac 2011 SP1 aka 14.1, but keep getting the below error when I check the logs for the policy:

installer: Package name is Office 2011 14.1.0 Update
installer: Certificate used to sign package is not trusted. Use -allowUntrusted to override.

All other Office for Mac 2011 updates deploy without any problems, so I don't understand why there is such an issue with SP1 ?

I downloaded it directly from the Microsoft site here

I don't know how I'm supposed to "Use -allowUntrusted to override" that the error message suggests as a fix?

Thanks

18 REPLIES 18

chriscollins
Valued Contributor

Because that package probably was not signed or the cert that was used to sign it has expired. You have two options that I can think of:

If your copy of Office is a volume license version, you should be able to download the full installer from Microsoft that has SP3 rolled into it, leap frogging your current version.

Your other option is to use Composer or another program, put the SP1 installer somewhere like /tmp/, then drag the .pkg from that location into Composer, so the .pkg itself is the file that is going to get installed into /tmp/.

Then add a post-install script in Composer to the package and just have it run a simple shell script with the command like:

#!/bin/sh

installer -pkg /tmp/MSOfficeSP1.pkg -target / -allowUntrusted

mm2270
Legendary Contributor III

So first off, if you have a volume license of Office 2011 with Microsoft, you should be able to obtain a full installer package that is much more current, like 14.3.9 or something like that. You really shouldn't be trying to deploy/install Office 14.1 at this point as that is a very old version. Assuming you mean you are deploying it as a full installation and not an update to an existing install.

As you've found, the certificate that was being used for that installer is now no longer valid. I forget now if this has to do with Apple revoking some older developer certificates a while back due to some security issues, or if its just because its expired.

So before anything else, I'd really look into getting a more current installer version. The only reason you would need to use this 14.1 package is if you already have clients out there with versions like 14.0.2 or something horribly old and you are trying to update them to 14.1 first. In that case, you'll have no choices other than deploying 14.1, and then the current updates, or just re-installing Office cleanly on their Mac.

Just so I try to answer one of your questions above though, the Casper Suite's installation process doesn't use the -allowUntrusted flag when using the built in function, and there is no way I know of to make it use that flag. The only way to do it would be to build a package that actually deploys the 14.1.pkg into a location like /private/tmp/ and then uses a postinstall script to do something like:

installer -pkg /private/tmp/Office201_114.1.pkg -target / -allowUntrusted

Edit: Lol, @chriscollins and I posted nearly identical responses. :)

chriscollins
Valued Contributor

It's all good :)

jevans76
New Contributor
The only reason you would need to use this 14.1 package is if you already have clients out there with versions like 14.0.2 or something horribly old and you are trying to update them to 14.1 first.

Yes, unfortunately this is exactly the situation I'm in.

I'd never use an out of date installer to install software from scratch as part of an SOE : )

I'll try using Composer combined with a script as you've (both) suggested - thanks.

I'm fairly new to packaging with OSX and Composer though. Do I just copy the SP1 .mpkg to the /private/tmp folder on the machine running Composer, then open Composer and drag the package into the left hand pane of the program? Or do I do this once I've started creating a new .pkg and the initial snapshot is complete?

Either method just seems to leave me with an empty .pkg file that doesn't do anything when I run it? Sorry for the noob question.

mm2270
Legendary Contributor III

Hi @jevans76 Yes, follow these steps:

  1. Copy the SP1 installer mpkg into /private/tmp/
  2. Open Composer and, if its asking if you want to do a snapshot or something, just cancel from that.
  3. Now open /private/tmp/ in the Finder and drag the SP1 updater package into the side panel in Composer. It should indicate its copying files and then when done will show something like this when your turn down the disclosure triangles.
    /private/
       /tmp/
          Office 2011 14.1.0 Update.mpkg
  4. Now, turn down the new Composer source triangle in the sidebar to reveal the Scripts section.
  5. Right / Control click on Scripts and choose "Add Shell Script > postinstall" from the menu. It will create a new postinstall script.
  6. Select that new script and then add the script syntax as shown in our posts above. Make sure to correct the name to the exact name of the installer package if needed.
  7. Build your package as a .pkg, not .dmg

Now, when that installer runs, it will drop the SP1 installer into /tmp/ and after the payload part is done, the postinstall script will actually install it on your boot drive, but will use the -allowUntrusted flag, which will bypass that expired certificate error.

One thing that might be a good idea to add to the script is an rm line at the end to clean up the installer mpkg. Something like:
rm -f "/private/tmp/Office 2011 14.1.0 Update.mpkg"
That should clean up the installer after its done installing it, or attempting to install it.

jevans76
New Contributor

Great, thanks for that @mm2270 - I'll try this today.

jevans76
New Contributor

OK, so not sure if I'm doing something wrong, but I've copied the mpkg to the /private/tmp folder, and then dragged it in to Composer 9.7

However, I don't get the /private/tmp folder structure I was expecting. It just seems to have copied the package, as below:

eef535978da2454486c20ab1a5ad0c1f

I noticed that you mentioned "source" in your instructions above, so I clicked the "Convert to Source" button. That gives me the folders, including "scripts", but not the parent folder structure of /private/tmp ??

4802c29052b946a19b58a6be5a800477

Not sure what I'm doing wrong here?

mm2270
Legendary Contributor III

OK, my bad here. Yes, Composer will try to turn any packages you drag into it into a "convert to source" item. That's the behavior you're seeing. You did nothing wrong.

Here's what you do then:

Drag the entire /tmp/ directory into Composer instead of the package. You'll need to go back in and clean out a bunch of other stuff that it copies into Composer, so you're only left with your .mpkg file before creating the script and building the final pkg.

Or, you can create a new folder in /tmp/, place the Office SP1 installer in that and then drag that custom folder into Composer. You'll only end up with the custom directory and the installer in it (as well as other folders that lead to it, like /private/tmp/

If you decide to use the latter method, just make sure you include that custom folder in the path to the installer command. So for example, if I made a new directory in /tmp/ called "installer" and put the Office installer in it. then in the postinstall script I would use something like

installer -pkg "/private/tmp/installer/Office 2011 14.1.0 Update.mpkg" -tgt / -allowUntrusted

Make sense?

jevans76
New Contributor

Yes, that makes sense. I've dragged the /tmp/ directory and I'm getting the desired result now.

I've deleted the surplus files it copied across as you advised.

When I went to create the bash script, I wasn't 100% sure where to paste the code you provided without stuffing up the syntax, but it advised "the script seemed to compile properly" when I ran the check on it. It looks like this:

635aac42c392484aaf18e729f6e278ac

Would this run OK, or have I stuffed up the syntax, as I know nothing about bash scripting.

I'm getting success logs when I check the policy deploying the uploaded package, i.e.:

Executing Policy Office for Mac 2011 - Update from 14.0.0 to 14.1.0...
Copying Copy_Office_for_Mac_SP1_to_tmp.pkg...
Installing Copy_Office_for_Mac_SP1_to_tmp.pkg...
Successfully installed Copy_Office_for_Mac_SP1_to_tmp.pkg.

..but at the same time, the smart group I have reporting on OSX clients with Office for Mac SP1 installed isn't increasing in size?

Simmo
Contributor II
Contributor II

@jevans76 Are you running a recon/update inventory as a part of your policy?

Edit: Also you will be wanting brackets around the file path.
"/private/tmp/Office 2011 14.1.0 Update.mpkg"

gregneagle
Valued Contributor

https://managingosx.wordpress.com/2012/03/24/fixing-packages-with-expired-signatures/

mm2270
Legendary Contributor III

Hey @gregneagle I'm curious, but would the method you outline on your blog post work with the SP1 Office updater? That package still shipped in bundle style metapackage format, so pkgutil --expand doesn't work on it since there isn't anything to expand. I have not tried the python utility/script you built, but I suspect it may not work as well since you specifically mention it working on flat packages.

However, after going through all this with @jevans76 above, I had one of those forehead slapping moments where I realized there's a much easier solution to this. No need for all this rigmarole of dropping the bad installer into tmp and then installing it. @jevans76, just redownload the SP1 installer directly from Microsoft, which was rebuilt with a valid certificate. You can get it off of http://www.microsoft.com/mac/downloads, or just go here:
http://www.microsoft.com/en-us/download/confirmation.aspx?id=17198

I just downloaded it and took a look to confirm that it contains a valid certificate. Look:
3a62531819e740dab160aa010394e52c

davidacland
Honored Contributor II
Honored Contributor II

I'd go with the different approach suggested by @mm2270. I'm doing a new deployment this week so grabbed 14.4.2 from the MS portal and the 14.5.0 patch. The client did try to give me their original Office 2011 CD at first. Even if I could find a Mac with a CD drive, its not likely it would install smoothly.

If you're still deploying 14.1.x I would expect problems. Best suggestion is to keep on top of your packages, making sure you're deploying the newest, patched versions you can.

gregneagle
Valued Contributor

I agree that getting a new version of the package from Microsoft with a valid signing certificate is the best approach.

bpavlov
Honored Contributor

If you have clients with older versions than SP1, shouldn't installing the Office SP4 (14.4.x) ISO provided from Microsoft at the moment upgrade the computer just fine to the appropriate version and do all the database upgrades it needs to do? I wouldn't think there's a need to go to SP1 -> SP4 -> SP5 if you're using the full installer. If you're using the update installers, yes you do need at least SP1, but I would definitely test using the full Office installer which as mentioned takes you to 14.4.x. Test that out if you can.

mm2270
Legendary Contributor III

@bpavlov No, unfortunately, SP1 (14.1.0) is a required update for clients still running versions like 14.0.4, basically anything prior to 14.1.0. You need to install that first, then any current update out there can be applied on top.
At one time, it was actually worse. If I recall, a 14.2.4 update or something like that was also required before moving up to 14.3 and so on, but Microsoft fixed that by rolling the db changes made with that 14.2.x update into all subsequent ones, so you can jump from 14.1.x to the current release.

Edit: sorry, didn't read what you posted fully, as you basically said the same thing. If you look up the thread, I had asked the same question of the OP, but turns out they have some clients still on 14.0.x versions out there that the SP1 update is needed for.

jevans76
New Contributor

Yes, as I said in my original post, I'd never use an outdated installer. I'm having to find a way to perform an in place upgrade of the existing Office 2011 14.0 installation on my client machines because there is no other choice.

If it was an Office install under Windows I could just run an msiexec uninstall to uninstall the old version, then roll out the updated installer after that.

However, the biggest problem with the Mac version of Office is that there's no clean way to automate a clean and complete uninstall AFAIK.

jevans76
New Contributor

@mm2270 I'm afraid re-downloading 14.1.0 doesn't work. Despite the certificate being newer, it still isn't trusted.

Despite the cert looking exactly the same as in your screenshot, and reporting as being valid, I still get the same error as I did before when trying to deploy the update:

"Certificate used to sign package is not trusted. Use -allowUntrusted to override."