Package integrity verification is done on CasperShare over the network, and not on the client?

Olivier
New Contributor II

I hope I am wrong with what I just noticed :

When a client triggers a policy to download a package, jamf client checks the MD5 checksum directly on the Distribution Point, and not after the file has been transferred to the client???

When I run "ps -awwx" when a package is installed, I see this for example:

8483 ?? 0:00.05 /sbin/md5 -q /Volumes/CasperShare/Packages/Lync Full Installer 14.0.11.pkg

Beside the fact that md5 utility will need to read the file once on the DP through the network, to compare with hash value stored in JSS DB, the jamf client will need to download it a 2nd time later anyway :

8620 ?? 0:00.02 /bin/cp -R /Volumes/CasperShare/Packages/Lync Full Installer 14.0.11.pkg /Library/Application Support/JAMF/Downloads/

So here we have : - package is transferred twice over the network (1st time to calculate the hash + 2nd time for the "cp" command)
- package checksum seems not verified after the file is copied to the client's harddisk. If there a corruption during the 2nd transfer, the checksum verification done earlier is useless...

I just hope I am missing sth here...

10 REPLIES 10

alexjdale
Valued Contributor III

I believe you are correct, this was called out in another thread a couple weeks ago and seemed to be accurate based on my network usage tests. This is definitely an issue for larger packages.

scottb
Honored Contributor

There was this thread but also a longer thread a while back that I can not find that discussed this.

Network traffic...

The other thread from a while back was more useful, so I'll keep looking...

nigelg
Contributor

Yeah I discovered this last year when I had a 25GB+ package with integrity checking enabled - it would read the entire file from the server to carry out the integrity check then redownload it again. I turned off integrity checking after I found that. I have too many large packages (music samples etc)

millersc
Valued Contributor

@nigelg Where is this setting for integrity checking you speak of? Per package or server setting?
Thanks!

Aziz
Valued Contributor

@millersc

It's

Computer Management > Security > Package Validation

I also have it off.

millersc
Valued Contributor

@Abdiaziz Thanks! I think many of us in edu world have some big pkg's we're pushing. So this should help with some of that pain.

calumhunter
Valued Contributor

Contact your TAM log it as a bug, only way to get some action on it

cdenesha
Valued Contributor III

For those finding this thread afterwards, a Feature Request has been created.

skinford
Contributor III

@millersc Thank you. I set mine just now to Never but when I use Casper remote and I did say Refresh it still starts the Verify process. The packages that I install are very large at times here at the college so it would be nice to shut this function off.

Do I have to wait for some type of refresh cycle? Will it take affect immediately? Does it also shut it down in Casper Remote or just when installing via JSS Policy?

My apologies for al the questions but thank you in advance.

Have a very great day today!

A_A
New Contributor II

Turning it of doesn't seem to help still.