Performing a client update will fail when updating from an older OnGuard version to any version of OnGuard 7.6 or later

Symptom

Performing a Client Update will fail when updating from an older (pre-Jan 2021) OnGuard version to any version OnGuard 8.0 or above (Including OnGuard 8.0, 8.0 Update 1 and above) or any interim build of OnGuard 7.6 and above.


You should expect to see the following error:



Error Text:  There is a problem with the installation file. It might have gotten corrupted during the download. Do you want to retry?


You would also see similar entries in the Lnl.OG.AutoUpgrade.txt file (Typically found in the root \OnGuard installation directory):


  • There is a problem with the installation file. It might have gotten corrupted during the download. Do you want to retry?

·Verbose VerifyAuthenticodeSignature returns error code:InvalidCertificate

The root cause:

The issue is caused due to a mismatch of code signing certificates used between the installed (older) version of OnGuard and the target (newer) OnGuard version of the upgrade.  This mismatch results in a failed signature validation in the code that causes the failure of the Client Update operation. 


During the process of Client Update, the code signing validation from the previously installed (older) version is expecting to find the expected certificate signature (and counter signature), and when both checks fail the installation assumes the download is corrupted.  


IMPORTANT NOTE:  While the newer versions of OnGuard address the certificate signature issue, versions of OnGuard 8.0 Update 1 and 7.5 Update 3, also have a specific defect that breaks the counter signature. This defect will require the user to patch the system once more to use Client Auto Update when upgrading from these versions.   

This issue is also caused due to another issue where the signatureverifier.cs tries to use a constant string with escape character in subject name and we fail to parse it correctly. The previous patch addressed the certificate name change but did not include a way to handle the counter signature name with such characters. This new patch now includes both fixes.

Resolution

To address this issue and allow client update to complete successfully, you must apply the patch (delivered as an MSI) to client machines PRIOR to attempting to use Client Update. 


NOTE:  To facilitate the upgrade process, it is recommended to distribute this patch in the days before the server upgrade, either manually or using typical IT tools to deliver the MSI to the system.


Download the patch here:  https://file.ac/Rc34d-JoFik/ 


Instructions to deploy this patch: 

  1. Deliver the patch MSI for your installed version to the client workstation(s). 
  2. Install the MSI
    1. Installing the MSI will stop the LS Client Update Service and replace the necessary files.  The service does not need to be restarted, as it will restart automatically when requested by the client. 
    2. The MSI will also load the new certificate necessary for the client
  3. Upgrade the OnGuard Server to the new OG version.
  4. On the client workstation launch an OnGuard installed client (like, System Administration or Alarm Monitoring) 
  5. Follow the prompts to perform the Client Update process
  6. Confirm when installation is successful

Applies To

All supported OnGuard Client versions below OnGuard 7.6.382.496 including:

OnGuard 7.3 and all Updates

OnGuard 7.4 and all Updates

OnGuard 7.5 and all Updates

OnGuard 7.6 and all Updates

OnGuard 8.0 and all Updates


© 2024 Honeywell International Inc. All Rights Reserved.