wsusscn2.cab signature verification failure

Re: wsusscn2.cab signature verification failure

Postby psloss » 14.11.2016, 18:48

Interesting comments in this and the other thread -- I'll have to pay more attention to the round-robin DNS answers and the IP of the remote load balancing server.

For what it's worth, I'm consistently getting two different responses that vary by the ETag response header. Given the load-balancing, the response bounces back and forth between one that seems good and one that seems bad.

Bad one, which I get most of the time:

ETag: W/"9e7be538b53ad21:0"

Good one:

ETag: W/"fb5afe38b53ad21:0"

Otherwise, the rest of the headers in the response are mostly static. When I get a bad file, the crypto error that is returned from the authenticode infrastructure is: CRYPT_E_BAD_MSG 0x8009200D / -2146885619.

Based on the comments here, I may try changing more parameters of the manual download process, including manual DNS queries.
psloss
 
Posts: 14
Joined: 14.05.2016, 15:10

Re: wsusscn2.cab signature verification failure

Postby jharris1993 » 14.11.2016, 23:12

I ran into the same problem and it drove me crazy until I was pointed to this thread.

Since it is obvious that Microsoft has absolutely no clue at all, I would like to recommend the following solution for a future version of WSUS Offline Updater:

Code: Select all
For I = 1 to 5
wget [whatever it is]

if [whatever it is] is NOT corrupt. . . .
{
install what you got and exit the loop
}
else
{
flush the DNS resolver cache
next I
}

move on to the next update. . . .


In other words, if you get a corrupt/unsigned download of ANYTHING, give it a few retries, clearing the DNS resolver cache between them. If that doesn't work after a few retries, punt and move on.

What say ye?

Jim (JR)
Some see things as they are, and ask "Why?"
I dream things that never were, and ask "Why Not".

Robert F. Kennedy

“Impossible” is only found in the dictionary of a fool.
Old Chinese Proverb
jharris1993
 
Posts: 13
Joined: 13.11.2016, 02:17

Re: wsusscn2.cab signature verification failure

Postby RJARPCGP » 15.11.2016, 09:41

Everytime I checked the file and it was the bad one, it was structurally corrupted. Even the Windows cabinet file viewer rejected the file.
RJARPCGP
 

Re: wsusscn2.cab signature verification failure

Postby boco » 15.11.2016, 12:09

Sync hell of chaos. MS screwed the pooch. Need I say more?

What would be certainly interesting is what happens if we would use BITSADMIN (or Powershell) to retrieve the catalog. Could someone try if the result is valid?

Code: Select all
bitsadmin.exe /TRANSFER WSUSOU_Get_Catalog /DOWNLOAD http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab <full path here>\WSUSSCN2.CAB
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2391
Joined: 24.11.2009, 17:00
Location: Germany

Re: wsusscn2.cab signature verification failure

Postby boco » 15.11.2016, 12:18

Please try PowerShell, too.

Code: Select all
powershell Start-BITSTransfer http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab <full path here>\wsusscn2.cab
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2391
Joined: 24.11.2009, 17:00
Location: Germany

Re: wsusscn2.cab signature verification failure

Postby jharris1993 » 15.11.2016, 18:52

boco wrote:Sync hell of chaos. MS screwed the pooch. Need I say more?

What would be certainly interesting is what happens if we would use BITSADMIN (or Powershell) to retrieve the catalog. Could someone try if the result is valid?

Code: Select all
bitsadmin.exe /TRANSFER WSUSOU_Get_Catalog /DOWNLOAD http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab <full path here>\WSUSSCN2.CAB

and . . . . .

Please try PowerShell, too.

Code: Select all
powershell Start-BITSTransfer http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab <full path here>\wsusscn2.cab



Boco, I agree that the results would be interesting - but I fail to see the point. It has already been established that the question of getting the bad download vs the good one is related to the M$ load-balancing scheme - and their lack of synchronization across their update servers.

Assuming that M$ hasn't corrected the sync problem and purged the bad files, (which we cannot know except by experiment), the fact that these two commands returned "good" files when tried once proves nothing.

We'd have to repeat these commands about a dozen or so times, (and perform the same file transfers with wget at the exact same time, using the same DNS settings, on the same ISP), to see if there is a statistically significant difference. (i.e. The two internal commands ALWAYS returned "good" files where wget returned the "bad" files at least 50% of the time.)

As far as I can tell, it shouldn't matter HOW you get the files, as you're going through the same load-balancing "Sync hell of chaos" each time.

Now you have "my curiosity riz" as they say. . . Is there something specifically and peculiarly different about how btsadmin and/or PowerShell get files that would cause different results than what wget returns? If so, how and/or why? If this is provably true, maybe WSUS Offline should use these commands instead of the more generic wget?

What say ye?

Jim (JR)
Some see things as they are, and ask "Why?"
I dream things that never were, and ask "Why Not".

Robert F. Kennedy

“Impossible” is only found in the dictionary of a fool.
Old Chinese Proverb
jharris1993
 
Posts: 13
Joined: 13.11.2016, 02:17

Re: wsusscn2.cab signature verification failure

Postby boco » 16.11.2016, 04:35

BITS is the service provided by MS, themselves, and used by WU. That built-in service might have special features in place that prevent getting a bad file.

If we could at least improve the reliability somewhat by using BITS... Looks like the real WSUS servers manage to get the catalog in one piece.


Fetching the catalog by Torrent is something I'd not like to see in WSUSOU.
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2391
Joined: 24.11.2009, 17:00
Location: Germany

Re: wsusscn2.cab signature verification failure

Postby jharris1993 » 16.11.2016, 04:47

boco wrote:Fetching the catalog by Torrent is something I'd not like to see in WSUSOU.

I'll second that!

I don't want to sound paranoid, but the idea of someone - some UNKNOWN someone - accessing my systems gives me the cold shivers. :o :shock:

OK, OK. . . maybe Torrents aren't the security risk I fear - but I've seen enough crazy-@$$ things going on that I don't trust it any farther than I can throw a fit.

Jim (JR)
Some see things as they are, and ask "Why?"
I dream things that never were, and ask "Why Not".

Robert F. Kennedy

“Impossible” is only found in the dictionary of a fool.
Old Chinese Proverb
jharris1993
 
Posts: 13
Joined: 13.11.2016, 02:17

Re: wsusscn2.cab signature verification failure

Postby boco » 16.11.2016, 04:54

Do you have Windows 10?

MS has always used Peer-to-Peer techniques in Windows, and now in 10 uses it to distribute updates faster.
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2391
Joined: 24.11.2009, 17:00
Location: Germany

Re: wsusscn2.cab signature verification failure

Postby jharris1993 » 16.11.2016, 05:18

boco wrote:Do you have Windows 10?

MS has always used Peer-to-Peer techniques in Windows, and now in 10 uses it to distribute updates faster.

No.

Neither do I have the Plague, or any of those other vile diseases going around.

I've played around with '10, and after a week or so went back to 7. For one thing, it reminded me too much of everything I disliked about Vista and 8 on steroids. It just gave me the creeps. . . .

Jim (JR)
Some see things as they are, and ask "Why?"
I dream things that never were, and ask "Why Not".

Robert F. Kennedy

“Impossible” is only found in the dictionary of a fool.
Old Chinese Proverb
jharris1993
 
Posts: 13
Joined: 13.11.2016, 02:17

PreviousNext

Return to Download

Who is online

Users browsing this forum: Google [Bot] and 43 guests