Help

Package integrity verification is done on CasperShare over the network, and not on the client?

Olivier
New Contributor II

Posted on ‎07-27-2015 08:54 AM

I hope I am wrong with what I just noticed :

When a client triggers a policy to download a package, jamf client checks the MD5 checksum directly on the Distribution Point, and not after the file has been transferred to the client???

When I run "ps -awwx" when a package is installed, I see this for example:

8483 ?? 0:00.05 /sbin/md5 -q /Volumes/CasperShare/Packages/Lync Full Installer 14.0.11.pkg

Beside the fact that md5 utility will need to read the file once on the DP through the network, to compare with hash value stored in JSS DB, the jamf client will need to download it a 2nd time later anyway :

8620 ?? 0:00.02 /bin/cp -R /Volumes/CasperShare/Packages/Lync Full Installer 14.0.11.pkg /Library/Application Support/JAMF/Downloads/

So here we have : - package is transferred twice over the network (1st time to calculate the hash + 2nd time for the "cp" command)
- package checksum seems not verified after the file is copied to the client's harddisk. If there a corruption during the 2nd transfer, the checksum verification done earlier is useless...

I just hope I am missing sth here...

0 Kudos
10 REPLIES 10

alexjdale
Valued Contributor III

Posted on ‎07-27-2015 10:01 AM

I believe you are correct, this was called out in another thread a couple weeks ago and seemed to be accurate based on my network usage tests. This is definitely an issue for larger packages.

0 Kudos

scottb
Honored Contributor

Posted on ‎07-27-2015 10:36 AM

There was this thread but also a longer thread a while back that I can not find that discussed this.

Network traffic...

The other thread from a while back was more useful, so I'll keep looking...

0 Kudos

nigelg
Contributor

Posted on ‎07-28-2015 04:40 AM

Yeah I discovered this last year when I had a 25GB+ package with integrity checking enabled - it would read the entire file from the server to carry out the integrity check then redownload it again. I turned off integrity checking after I found that. I have too many large packages (music samples etc)

0 Kudos

millersc
Valued Contributor

Posted on ‎07-28-2015 05:39 AM

@nigelg Where is this setting for integrity checking you speak of? Per package or server setting?
Thanks!

0 Kudos

Aziz
Valued Contributor

Posted on ‎07-28-2015 05:40 AM

@millersc

It's

Computer Management > Security > Package Validation

I also have it off.

0 Kudos

millersc
Valued Contributor

Posted on ‎07-28-2015 05:44 AM

@Abdiaziz Thanks! I think many of us in edu world have some big pkg's we're pushing. So this should help with some of that pain.

0 Kudos

calumhunter
Valued Contributor

Posted on ‎07-29-2015 08:30 PM

Contact your TAM log it as a bug, only way to get some action on it

0 Kudos

cdenesha
Valued Contributor II

Posted on ‎01-13-2016 06:38 AM

For those finding this thread afterwards, a Feature Request has been created.

0 Kudos

skinford
Contributor III

Posted on ‎12-20-2016 07:56 AM

@millersc Thank you. I set mine just now to Never but when I use Casper remote and I did say Refresh it still starts the Verify process. The packages that I install are very large at times here at the college so it would be nice to shut this function off.

Do I have to wait for some type of refresh cycle? Will it take affect immediately? Does it also shut it down in Casper Remote or just when installing via JSS Policy?

My apologies for al the questions but thank you in advance.

Have a very great day today!

0 Kudos

A_A
New Contributor II

Posted on ‎04-05-2017 12:36 AM

Turning it of doesn't seem to help still.

0 Kudos