Unsigned Updates Fail with Error SRVMSG_SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_TRUST_FAIL_BADSIG
One of the new requirements when using the System Center Configuration Manager 1806+ Third-Party Software Updates feature is every update’s installer file must be digitally signed when published as full-content within the SCCM console.
If you right-click an update where the installer isn’t signed and choose to Publish Third-Party Software Update Content, you will receive an error in the binary validation in the SMS_ISVUPDATES_SYNCAGENT.log log file.
The following errors will be shown in the SMS_ISVUPDATES_SYNCAGENT.log log file when an unsigned third-party update is published as full-content.
SyncUpdate: File ‘D:\Microsoft Configuration Manager\ISVTemp\hdrdeabp.51d\7z1604-x64.msi’ does not appear to be signed or there was an error retrieving the signing certificate. Signatures are required.
Signature check on downloaded binary has failed, reason: 0.
Since System Center Updates Publisher (SCUP) does allow unsigned updates to be published, we expect Microsoft made the code-signing certificate requirement for SCCM due to the increased automated available in SCCM to add another layer of validating binaries for any third-party software updates being published from their product.
List of Product Whose Vendors Don’t Code-Sign
We are maintaining a list of active products whose vendors who don’t sign their installer binaries.
- Apache OpenOffice
- Apache Tomcat
- FastStone Capture
- K-Lite “Basic & Mega”
- Programmer’s Note
- Terminals RDP
Why don’t vendor’s code-sign their installers?
Great question, code-signing does add another layer of integrity to binaries and has been around for a long time. The vast majority of software vendors do code-sign their binaries, but we do see many open source projects such as Notepad++ and 7-Zip choose not to code-sign due to cost and increased complexity and instead post file hashes.
Unsigned Binary Workaround
We also recommend contacting the vendor of the software whose installer is unsigned to ask them if it would be possible to sign their binaries in future versions.
How Are the Unsigned Binaries Validated Before Being Code-Signed by Patch My PC?
We will still perform all the same security validation test for malware and bloatware on the vendor’s unsigned binaries.
For any new product request, we now require the installer to be code-signed by the vendor as part of our requirements. We will only retroactively code-sign unsigned installers for products already included in our catalog before this requirement.