Windows Update updates indicating they are unsigned

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 03/22/02 

Date:         Fri, 22 Mar 2002 07:36:52 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I had someone contact me yesterday regarding a Security Update from WU
causing a dialog box to pop-up part way through the installation
indicating;

"The software you are about to install does not contain a Microsoft
digital signature. Therefore, there is no guarantee that this software
works correctly with Windows."

Followed by;

"Unknown software package"

It then allows you to choose "Yes" or "No" to continue with the
installation.

So I checked with Microsoft and got the following response; 

---
Hello Russ:

I've had the WindowsUpdate team make a full, manual check of all of the
packages that are offered on the site to verify their integrity and
signatures.  The packages are correctly signed.  We've fully verified
this.

What's happening here is a known issue with a particular W2K security
settings and the contents of the signed package.  All packages we
deliver are signed, and we always run numerous checks to make sure this
is the case.   However, within that signed package, there are individual
files that are not themselves signed.

In W2K there is a security setting (Administrative Tools > Local
Security Policy > Local Policies > Security Options > Unsigned
Non-Driver Installation Behavior). If this is set to "Warn but allow
installation", this prompt will be raised because there of those
unsigned, individual files within the signed package.

As long as the package is correctly signed, the package is safe to
install.
---

Note that nobody is suggesting you alter the setting if you have it
selected as mentioned above. This is only an FYI that should you get the
above-mentioned dialog you should double-check whether that setting has
been made on your system and re-check the source of the installation
package.

Cheers,
Russ - NTBugtraq Editor

Relevant Pages

  • Re: dist-upgrade problem (was Re: /etc/modutils/0keep: line 9: keep: command not found)
    ... Reading package fields... ... i t does not have execute permission ... installation script returned error exit status 100. ...
    (Debian-User)
  • Re: Finding installed package files
    ... >, and who is going to supply this documentation. ... > is a package with the common man pages for the thousand odd common commands ... tell me, as an installation option for some large packages, what was ... >>a set of commands and 'man' pages, could produce such a directory to make it ...
    (alt.os.linux.redhat)
  • Security Update for Microsoft Data Access Components (KB832483)
    ... : An error occurred while setup was trying to ... verify the version of Microsoft Data Access Components ... package returned FALSE, or there was a fatal error while ... installation. ...
    (microsoft.public.windowsupdate)
  • Security Update for Microsoft Data Access Components (KB832483)
    ... : An error occurred while setup was trying to ... verify the version of Microsoft Data Access Components ... package returned FALSE, or there was a fatal error while ... installation. ...
    (microsoft.public.windowsupdate)
  • Re: bits/news from the users of Debian?
    ... "Le bottin des jeux Linux" speaks about 800 Linux games and i hope that's growing. ... I start with Debian, then test Mandrake because it seem's at this time very complicated. ... I think graphics interface for installation is a good thing: you have make a good job! ... I use Debian Sid and I have experiment a lot of problem some years ago because i install too recent package on Sid which are not well tested. ...
    (Debian-User)