MID Server Upgrade File Signature Verification - Support and Troubleshooting

MID Server Upgrade File Signature Verification Issue As part of the MID Server upgrade, the MID Server upgrade will run a series of tests before the upgrade is started, these are the pre upgrade checks. One of the checks is to confirm the "preUpgradeCheck.zip" file downloaded has a valid signature. The error "Signature Verification Failed" will be seen if there are issues verifying the file signature. There are different errors that could be seen when checking the file signature, for example:

AutoUpgrade.3600.now SEVERE *** ERROR *** Aborting MID Server upgrade due to pre-upgrade check failure: Signature verification failed: Entry doesn't have valid signer MID Server upgrade error:

Signature Verification Failed Cause To check the file signatures the MID Server will use the signers/certificates from the MID Server cacerts file, by default "MIDPath\agent\jre\lib\security\cacerts". Out of box the necessary signers/certificates will be found in the cacerts and the file signature verification should work as expected. However, if the signers/certificates in the cacerts are updated or the file is replaced the pre upgrade check will have errors as detailed above.

Some of the other errors which could be seen:

Entry is not in manifest Entry is not signed Entry doesn't have valid signer Signer is not entitled for code signing Signer is not trusted by CA Signer doesn't have timestamp Timestamp certificate is expired Timestamp certificate is not trusted by CA Signer certificate is not valid at the time of signing Signer organization is not O=ServiceNow Inc. Verification policy is missing Failed to load cacerts key store Failed to find trust anchors from key store File has been tampered Error while reading data Resolution Before following any workaround, please see following documentation for more information on MID Servers and certificates:

MID Servers and Certificates Note: The errors seen in this KB are in regards to checking the file signature. Having issues with the file signature does not mean the MID server will have trouble connecting to the instance after the upgrade. However, it is a similar concept. The MID server needs a valid signer to confirm the files are not altered.

As a solution, please perform one of the following actions:

Bring Back cacerts File from OOB MID Server Navigate to MID Server with issue and back up current cacerts file, MIDPath\agent\jre\lib\security\cacerts Navigate to a working MID Server and copy the cacerts file Replace non working MID Server cacerts file with working MID Server cacerts file Import necessary certificates, those would be any non OOB certificates imported to the backed up cacerts Add SSL certificates for the MID Server Restart the MID Server Disable Signature Verification Set MID Server property mid.security.signature.verification = false Restart the MID Server Complete the upgrade Enable signature verification after upgrade Disable Pre Upgrade Checks Set MID Server parameter mid.upgrade.run_precheck = false Restart the MID Server Complete the upgrade Enable pre upgrade check after upgrade