VMware Horizon Community
Rienus
Contributor
Contributor
‎08-09-2023 04:35 AM

Horizon connection broker dll and exe certificate signing expires in two days

Today VMware released Resolved [SINST-176145] - Multiple Workspace ONE UEM application pools and services may not start on... for Workspace One UEM. 
This KB outlines that, due to expired certificates which were used for signing certain dlls, when the servers are rebooted they will not respond. We had the same issue.

We also checked some dll's and executables on our horizon connection brokers (8.9.0 build - 21507980 Version 2303) and found that those files are also signed with expiring certifcates. for instance the messageframework.dll and ws_ConnectionServer.exe

These expire on 12th of august 2023

Labels (1)
Labels
Preview file
87 KB
Reply
2 Replies
Rienus
Contributor
Contributor
‎08-10-2023 04:04 AM

VMware states that the signing of dll's and executables for Horizon is no problem.

vmware states:

As per our discussion, the internal certificates responsible for these DLLs would be expected to regenerate once they expire tomorrow morning. No action is required until this time, where you can check to see that they were recreated successfully.

After checking internally, this will not be a problem for horizon as it is not sign in the same way.

UEM was using an internal CA for some services without timestamps now corrected but horizon uses a public CA with timestamps.

Is timestamped code valid after a Code Signing Certificate expires?
Digicert timestamp services allow you to timestamp your signed code. Timestamping ensures that code will not expire when the certificate expires because the system validates the timestamp. If you use the timestamping service when signing code, a hash of your code is sent to the timestamp server to record a timestamp for your code. A user’s software can distinguish between code signed with an expired certificate that should not be trusted and code that was signed with a Certificate that was valid at the time the code was signed but which has subsequently expired.
Please specify the timestamp server url you need when you sign your code. Digicert provides you with both a SHA-1 and SHA-256 RFC 3161 timestamping URLs.
The timestamp server validates the date and the time that the file was signed therefore the certificate can expire but the signature will be valid for as long as the file is in production. A new certificate is only necessary if you want to sign additional code or re-sign code that has been modified.
If you do not use the timestamping option during the signing, you must re-sign your code and re-send it out to your customers.
To verify if your file has been timestamped, you can use the verifying commands provided in our knowledge base articles. The date and time will be displayed when the file has been timestamped. No dates or a warning will appear when the file has NOT been timestamped.
See: Instructions to sign and timestamp your code.”

 

Reference : https://knowledge.digicert.com/generalinformation/INFO1119.html

Reply
0 Kudos
HaoHu
VMware Employee
VMware Employee
‎08-10-2023 07:50 PM

We got a reply that the files use the certificate sign with an expiring setting. We also tested with setting system date after this signing date and restart the services. It shows OK.

Reply
0 Kudos