External Package Signing for Software Vulnerability Manager Client Toolkit

Using Manual Signatures (also known as External Signatures) allows separating the privilege of Windows Server Update Services (WSUS) administration from the privilege to mark a package as trusted for deployment. With automatic signatures (typically, but not always, using a self-signed certificate), the WSUS administrator has full access to a digital certificate and private key that is trusted by all the machines within the organization. With Manual signatures, WSUS, and thus the WSUS administrator, does not require access to the private key.


The below prerequisites are required:

pfx certificate needs to be installed in WSUS m/c in Trusted publisher and Trusted CA.
pfx certificate needs to be installed in Trusted publisher and Trusted CA in the m/c where patch daemon is installed.

To External Package Signing, perform the following steps:

1. In Patch daemon, select Sign package manually option.

2. Restart the patch daemon.
3. Subscribe VPM packages and wait for patch daemon to fetch the tasks.
4. Patch daemon creates unsigned .cab files and places in the unsigned folder location.
5. The Unsigned folder location is available in the subscription status page as an unsigned path.

6. Sign the cab file using the format below and place the signed .cab file in the signed folder.

For example:

C:\ProgramData\Flexera Software\SVM Patch\SVMPatch IO\Signed\package_id\ 

Note:Private Keys are typically stored in .pvk files, and public keys are stored in .cer or .pfx files.

7. During the next check-in, the daemon picks and publishes the signed cab files.