Flash Player

434 views
Skip to first unread message

Gregory Neagle

unread,
Jan 24, 2015, 9:14:51 PM1/24/15
to autopkg...@googlegroups.com
Rich Trouton noticed today that the update feed was showing a new Flash Player, yet the update itself did not seem to be available:


I tried running the AdobeFlashPlayer.download recipe and it indeed failed:

% autopkg run AdobeFlashPlayer.download
Processing AdobeFlashPlayer.download...
Failed.

The following recipes failed:
    AdobeFlashPlayer.download
        Error in com.github.autopkg.download.FlashPlayer: Processor: URLDownloader: Error: Couldn't download http://fpdownload.macromedia.com/get/flashplayer/pdc/16.0.0.296/install_flash_player_osx.dmg: HTTP Error 404: Not Found

Nothing downloaded, packaged or imported.

So I opened System Preferences and opened the Flash Player pane and clicked Check now. It also said there was an update;


I clicked yes, and to my surprise, it successfully downloaded the update. I did not agree to the install, however, so I could do more investigation.
It turns out the "Adobe Flash Player Install Manager.app" does not download from the same location that the AutoPkg recipe uses, instead it downloads a file from a fixed URL:


And then decompresses that into an installer of sorts. I haven't yet been able to do anything useful with this file.

I assume eventually the "normal" download(s) will be available; still it might be useful or at least interesting to see if we can make use of this download, especially if Adobe updates this one first, or at least in concert with the XML update feed.

-Greg

Vito Mule

unread,
Jan 24, 2015, 9:44:00 PM1/24/15
to autopkg...@googlegroups.com
as Adobe is saying here:

http://helpx.adobe.com/security/products/flash-player/apsa15-01.html


UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. 
Adobe expects to have an update available for manual download during the week of January 26.

Cheers

Per Olofsson

unread,
Jan 25, 2015, 4:11:49 AM1/25/15
to autopkg...@googlegroups.com
25 jan 2015 kl. 03:14 skrev Gregory Neagle <gregn...@mac.com>:
>
> http://fpdownload2.macromedia.com/get/flashplayer/update/current/install/install_all_mac_pl_sgn.z
>
> And then decompresses that into an installer of sorts. I haven't yet been able to do anything useful with this file.

Shouldn't you recognize ASN.1 data by now? :)

security cms -D -i install_all_mac_pl_sgn.z > install_all_mac_pl.dmg

--
Per Olofsson, IT-service, University of Gothenburg

Gregory Neagle

unread,
Jan 25, 2015, 10:06:38 AM1/25/15
to autopkg...@googlegroups.com
I figured someone would enjoy the challenge more than I would!

So: if anyone wants/needs to get the Flash update out there before Adobe gets around to updating their "manual" downloads sometime this next week:


Convert it to a disk image: 
security cms -D -i ~/Downloads/install_all_mac_pl_sgn.z > ~/Downloads/install_all_mac_pl.dmg

Use AutoPkg to import it into Munki:

% autopkg run AdobeFlashPlayer.munki -k PKG=~/Downloads/install_all_mac_pl.dmg
Processing AdobeFlashPlayer.munki...

The following new items were downloaded:
    /Users/gneagle/Downloads/install_all_mac_pl.dmg

The following new items were imported:
    Name                     Version          Catalogs                         Pkginfo Path
    ----                     -------          --------                         ------------
    FlashPlayer              16.0.0.296       testing                          internet/FlashPlayer-16.0.0.296.plist

(Or use a .jss, .abman, .sccm or .bigfix recipe as available :-))

-Greg

--
You received this message because you are subscribed to the Google Groups "autopkg-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to autopkg-discu...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Trouton, Rich R

unread,
Jan 26, 2015, 7:15:47 AM1/26/15
to autopkg...@googlegroups.com
After the step of converting it into a disk image with the security command, it looks like this command also works:

autopkg run AdobeFlashPlayer.pkg -p ~/Downloads/install_all_mac_pl.dmg

I also tested this with a .jss recipe and that also appears to work:

autopkg run AdobeFlashPlayer.jss -p ~/Downloads/install_all_mac_pl.dmg

In both cases, I received an "AdobeFlashPlayer-16.0.0.296" installer package.  Running the .jss recipe resulted in the package being properly uploaded as well as updating the associated Casper policy and smart group with the new "16.0.0.296" version info.

Thanks,
Rich

---

JRC Help Desk
phone: x4030

The best way to get in touch with me is through email.

Graham Pugh

unread,
Jan 26, 2015, 8:56:06 AM1/26/15
to autopkg...@googlegroups.com
Thanks guys! I was almost irked enough by my hourly update failure emails from AutoPkgr to do something about this, and now you've solved it for me!

Cheers, Graham

Trouton, Rich R

unread,
Jan 26, 2015, 9:28:58 AM1/26/15
to autopkg...@googlegroups.com
There also appears to be a 16.0.0.296 installer now available on the Adobe Flash Player Distribution site (i.e. the site you get access to after getting a valid Adobe Flash Player Distribution License Agreement in place. That, or Googling.)

Thanks,
Rich

Gregory Neagle

unread,
Jan 26, 2015, 9:35:34 AM1/26/15
to autopkg...@googlegroups.com
Though this is the first time we've encountered this issue (where Adobe updates the feed and their encrypted download _first_, before updating any of the manual download locations), I'm in favor of modifying the AdobeFlashPlayer.download recipe to use the http://fpdownload2.macromedia.com/get/flashplayer/update/current/install/install_all_mac_pl_sgn.z download -- I can't imagine a scenario where Adobe would update the feed but not the download. (But we've be surprised by what Adobe does in the past...)

It's not a trivial modification, however, At the very least we'll need to replace or modify the AdobeFlashURLProvider and perhaps create a CMSDecoderProcessor or the like.

-Greg

Timothy Sutton

unread,
Jan 26, 2015, 10:09:14 AM1/26/15
to autopkg...@googlegroups.com
I've just updated the AdobeFlashPlayer.download recipe to do this decoding with `security cms`, and to just pull from this URL that we hope will be stable.

autopkg repo-update recipes

It's too bad for us that Adobe's feed doesn't actually contain instructions on how to get the update, and that it must be baked into the client. On the other hand, that at least might make it less likely to change.


Tim

Gregory Neagle

unread,
Jan 26, 2015, 11:46:05 AM1/26/15
to autopkg...@googlegroups.com
I find the behavior of the updated recipe a bit confusing:

% autopkg run AdobeFlashPlayer.download -vv
Processing AdobeFlashPlayer.download...
URLDownloader
{'Input': {'filename': u'AdobeFlashPlayer.dmg',
URLDownloader: Storing new Last-Modified header: Sat, 24 Jan 2015 03:01:43 GMT
URLDownloader: Storing new ETag header: "ee90bb-50d5d1ff7b3c0"
URLDownloader: Downloaded /Users/gneagle/Library/AutoPkg/Cache/com.github.autopkg.download.FlashPlayer/downloads/AdobeFlashPlayer.dmg
{'Output': {'download_changed': True,
            'etag': '"ee90bb-50d5d1ff7b3c0"',
            'last_modified': 'Sat, 24 Jan 2015 03:01:43 GMT',
            'pathname': u'/Users/gneagle/Library/AutoPkg/Cache/com.github.autopkg.download.FlashPlayer/downloads/AdobeFlashPlayer.dmg'}}

OK, the recipe downloaded the install_all_mac_pl_sgn.z under the name AdobeFlashPlayer.dmg, even though it's not yet a valid dmg.

AdobeFlashDownloadDecoder
{'Input': {'encoded_path': u'/Users/gneagle/Library/AutoPkg/Cache/com.github.autopkg.download.FlashPlayer/downloads/AdobeFlashPlayer.dmg'}}
{'Output': {'pathname': u'/Users/gneagle/Library/AutoPkg/Cache/com.github.autopkg.download.FlashPlayer/flash_decoded.dmg'}}

Now it looks like the Decoder decoded AdobeFlashPlayer.dmg as flash_decoded.dmg. OK...

EndOfCheckPhase
{'Input': {}}
{'Output': {}}
Receipt written to /Users/gneagle/Library/AutoPkg/Cache/com.github.autopkg.download.FlashPlayer/receipts/AdobeFlashPlayer-receipt-20150126-083404.plist

The following new items were downloaded:
    /Users/gneagle/Library/AutoPkg/Cache/com.github.autopkg.download.FlashPlayer/downloads/AdobeFlashPlayer.dmg

OK, that's a tiny bit confusing. Actually what was downloaded was install_all_mac_pl_sgn.z, but under the name AdobeFlashPlayer.dmg.

I assume that if I ran a Munki receipt, what would be imported would be flash_decoded.dmg ?

I think it would be clearer if we left the download name as install_all_mac_pl_sgn.z and we named the decoded file AdobeFlashPlayer.dmg, but that may just be me.

-Greg

Timothy Sutton

unread,
Jan 26, 2015, 12:05:37 PM1/26/15
to autopkg...@googlegroups.com
I agree, the filenames should make more sense.

Addressed here:

https://github.com/autopkg/recipes/commit/a176baeec8da0a39f1953feadc27148f8f484476


Thanks,
-Tim

A.E. van Bochoven

unread,
Jan 26, 2015, 3:41:49 PM1/26/15
to autopkg...@googlegroups.com
Hmm I get this on my 10.6.8 (I know) build machine:

        Error in local.munki.AdobeFlashPlayer: Processor: AdobeFlashDownloadDecoder: Error: Unexpected exception in running `security` command: `security` error: security: cert import failed: A default keychain could not be found.

any pointers?

-Arjen

Childress, Matt

unread,
Jan 26, 2015, 3:45:26 PM1/26/15
to autopkg...@googlegroups.com

I had this  happen too, and googled around and found a page pointing me to a login/keychain issue – we use a user account that had never been logged into at the console.  Logging in at the console created a login certificate in the keychain.app, and that might fix your issue(s) as well (or run the Keychain repair option)

Good luck!  (after I logged in one time – didn’t need to run Keychain.app – the next scheduled Jenkins job it imported automagically as before!)

M@

A.E. van Bochoven

unread,
Jan 26, 2015, 3:46:43 PM1/26/15
to autopkg...@googlegroups.com
Ok, it seems that adding a keychain to the jenkins account solves this problem.

security create-keychain

I just created an empty keychain without a password.

-Arjen

Timothy Sutton

unread,
Jan 26, 2015, 4:05:13 PM1/26/15
to autopkg...@googlegroups.com
Thanks for documenting this. I had a feeling there would be side effects of using `security`.

Here's one idea, to at least give a better warning for rare cases where this occurs. The `security default-keychain` command will return an error if a default keychain does not yet exist. The new custom processor could first execute this command to test whether a default keychain exists and raise a more helpful error message, explaining how to remedy it as you have done. Someone running a "headless" setup would just need to do this extra step once manually.

Alternatively, I attempted to specify the /L/Keychains/System.keychain file for `security cms`, but I don't seem to have the rights to use this keychain, so that feels like attempting something more complex.


Tim

Gregory Neagle

unread,
Jan 26, 2015, 7:56:49 PM1/26/15
to autopkg...@googlegroups.com
If it turns out using `security` is problematic; here is an alternative:

openssl smime -inform DER -verify -in install_all_mac_pl_sgn.z -noverify -out AdobeFlashPlayer.dmg

Not tested. I'll leave that to others...

There are probably other ways to do this as well, but most would involve importing a bunch of non-standard Python modules.

-Greg

Gregory Neagle

unread,
Jan 26, 2015, 8:11:08 PM1/26/15
to autopkg...@googlegroups.com
Ugh. A little more investigation: when using `security cms` to decode the install_all_mac_pl_sgn.z file, two certificates get installed into the default keychain (in my case, my login.keychain):



This issue is likely to affect Munki's support of signed configuration profiles as well. Hmmmm.  Errrgh. Ugh. Yuck.

-Greg

Trouton, Rich R

unread,
Jan 26, 2015, 9:02:20 PM1/26/15
to autopkg...@googlegroups.com
Confirmed, seeing that on my end as well. I've also verified that removing them and running AdobeFlashPlayer.download (or any recipe that calls the .download recipe) will put those certificates back in the login keychain. This applies even if nothing new has actually been downloaded.

Thanks,
Rich


On Jan 26, 2015, at 8:11 PM, Gregory Neagle <gregn...@mac.com> wrote:

Ugh. A little more investigation: when using `security cms` to decode the install_all_mac_pl_sgn.z file, two certificates get installed into the default keychain (in my case, my login.keychain):

<PastedGraphic-2.png>

<PastedGraphic-3.png>

Michael Mohr

unread,
Jan 26, 2015, 11:29:03 PM1/26/15
to autopkg...@googlegroups.com
I'm having the same issues on my end I think as well... when autopkg runs (hourly) I get the response: 

The following recipes failed:
AdobeFlashPlayer.munki
Error in com.github.autopkg.munki.FlashPlayerNoRepackage: Processor: AdobeFlashDownloadDecoder: Error: Unexpected exception in running security command: security error: security: cert import failed: write permissions error
security: problem decoding
, return code: 1


I don't know if that helps anyone... 

josh....@gmail.com

unread,
Jan 27, 2015, 9:09:28 AM1/27/15
to autopkg...@googlegroups.com
Similar errors on my nightly run:

The following recipes failed:
    AdobeFlashPlayer.munki
        Error in com.github.autopkg.munki.FlashPlayerNoRepackage: Processor: AdobeFlashDownloadDecoder: Error: Unexpected exception in running `security` command: `security` error: security: cert import failed: Could not write to the file. It may have been opened with insufficient access privileges.
security: problem decoding
, return code: 1

This is via cron run as my regular user that was logged in on the console at the time of the run.
Note that I was able to manually run the security cms stuff yesterday to convert the flash download to a DMG.

Timothy Sutton

unread,
Jan 27, 2015, 9:09:30 AM1/27/15
to autopkg...@googlegroups.com
If this can work reliably from 10.6 through 10.10, I'm in favor of doing this instead and leaving behind the keychain issues involved with `security`. I'll try and test this morning.


Tim

Timothy Sutton

unread,
Jan 27, 2015, 10:16:05 AM1/27/15
to autopkg...@googlegroups.com
We've just made another change to the recipe's processor, to hopefully address these issues with security and keychains: we now create a temporary keychain that's writable by the user and discard it after the decoding process. People who have experienced issues with this, please repo-update and see if the issues are resolved.


Tim

Josh Malone

unread,
Jan 27, 2015, 4:36:23 PM1/27/15
to autopkg...@googlegroups.com
Fixes my issues - runs normally.
> You received this message because you are subscribed to a topic in the Google Groups "autopkg-discuss" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/autopkg-discuss/tTYGrMunpfI/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to autopkg-discu...@googlegroups.com.

ctdaw...@gmail.com

unread,
Jan 27, 2015, 4:51:04 PM1/27/15
to autopkg...@googlegroups.com
Appears to be resolved on the autopkg systems I updated this morning.

best regards,
Chris Dawe

Michael Mohr

unread,
Jan 27, 2015, 4:56:49 PM1/27/15
to autopkg...@googlegroups.com
Same here all clear!


Michael Mohr, ACMT

 Apple Certified Macintosh Technician

I.T. Support Technician

Direct | (417) 851-4592
Mobile | (417) 380-3905 

convoyofhope.org                 
330 S. Patterson Avenue          
Springfield MO 65802                              
Office | (417) 823-8998                  
--
CONVOY OF HOPE®
1455 Pennsylvania Avenue NW, Suite 400      
Washington DC 20004  
Office | (202) 280-2002 

Confidentiality notice: The information contained in this email message including attachments is confidential and is intended only for the use of the individual or entity named above and others who have been specifically authorized to receive it.  If you are not the intended recipient, you are hereby notified that any use, unauthorized dissemination, distribution, or copying of this communication is strictly prohibited.  If you have received this communication in error, please delete immediately or if any problems occur with transmission, please notify me immediately by telephone. Thank you.

--
You received this message because you are subscribed to a topic in the Google Groups "autopkg-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/autopkg-discuss/tTYGrMunpfI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to autopkg-discu...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages