Failed to sign package; error was: 2148081670
In this article, we will be reviewing an error that can occur when trying to publish third-party software updates to WSUS.
Topics covered in this article:
Determine if You are Affected
If you are affected by this error, you will see the following error(s) in the PatchMyPC.log or SoftwareDistribution.log.
An error occurred while publishing with timestamping, and timestamping is enforced: Failed to sign package; error was: 2148081670 [System.InvalidOperationException]
An error occurred while publishing an update to WSUS: Failed to sign package; error was: 2148081670
PublishPackage(): Operation Failed with Error: Failed to sign package; error was: 2148081670
This error can occur if the code signing certificate used for WSUS has been revoked by the Certificate Authority (CA).
You can check if your certificate has been revoked by following these steps using the Patch My PC Publisher:
- Click Show Certificate in the General tab
- Click Validate Trust Chain…
Note: We have also had reports of this specific error from customers even when the certificate was not revoked. Therefore, all circumstances as to why WSUS uses this error code are not yet known.
Solution
If the certificate has been revoked by your CA, you may be able to unrevoke it. For example, if the certificate was issued by an Active Directory Certificate Services (ADCS) CA and the “Certificate Hold” reason code was used to revoke, then it is possible to unrevoke the certificate.
If your certificate is not revoked and you still have the original .pfx for your current code signing certificate, you may want to first try re-importing that instead of issuing a new certificate.
However, if re-importing the original code signing certificate does not solve the issue, then you will need to import a new code signing certificate.
You will need to do the following in order:
- Import your new code signing certificate
- Deploy your new code signing certificate to your devices
- Re-sign all of your existing third-party updates in WSUS
- Download all third-party updates into a new Deployment Package
1. Import your new code signing certificate
For guidance to import a code signing certificate into the Patch My PC Publisher, see What is the WSUS Signing Certificate and How to Create It.
2. Deploy your new code signing certificate to your devices
For guidance to deploy your new code signing certificate, see How to Deploy the WSUS Signing Certificate for Third-Party Software Updates.
3. Re-sign all of your existing third-party updates in WSUS
Using the Modify Published Updates Wizard, select all of your existing third-party software updates in WSUS and choose the option to Re-Sign Update.
4. Download all third-party updates into a new Deployment Package
At this point, after re-signing all of your third-party updates, all of the .cab files in the WSUS directory should have a digital signature. They will be signed with your new code signing certificate.
You can verify this by browsing to your WSUSContent or UpdateServicesPackages folder and looking at the digital signature for any of your .cab files containing a third-party update.
Now, you must delete any previously downloaded third-party software updates in any existing Deployment Packages. After you have done this, you need to download all of your third-party software updates into a new Deployment Package in Configuration Manager.
Updates need to be downloaded again because the .cab files in your current Deployment Package(s) are signed with your old code signing certificate. They need to be re-downloaded since their digital signatures have changed, and you need your clients to trust all of your third-party updates.
