FlexNet Manager Suite library content for the Application Recognition Library (ARL), SKU Library, and Product Use Rights Library (PURL) is delivered through signed CAB files. Digital signatures used on these files are generally trusted by default, but may not be trusted if you have a non-default or non-current set of trusted root certificates configured on your FlexNet Manager Suite batch server.
If the certificates are not valid, you might see a “Failed to verify the digital Signature of file” in the mgsRecognition / Recognition / ImportPURL logs.
This article describes how to verify details of the digital signature on a FlexNet Manager Suite library content CAB file, ensure it is trusted, and install a trusted root certificate if necessary.
Verifying the digital signature on a CAB file
To verify whether the digital signature on a CAB file used for delivering FlexNet Manager Suite library content is trusted on the batch server:
- Download the relevant .cab file and save/copy it to the batch server. For example, the Application Recognition Library file can be downloaded from here.
- In Windows Explorer, right click on the file and select the Properties menu option.
- Click on the Digital Signatures tab, click on the entry in the Signature list, and click the Details button:
- A dialog will be displayed with an indication of whether the digital signature is trusted. For example:
If everything is OK, you will see the message "The digital signature is OK". If not, you will see an error message, such as "Windows does not have enough information to verify this certificate."
Troubleshooting an untrusted digital signature
If a problem is reported with the digital signature on a .cab file, clicking on the View Certificate button in the Digital Signature Details dialog may show additional details which will help to identify the cause of the problem.
One possible cause is that the root certificate used is not trusted by your FlexNet Manager Suite batch server. Check for problems with the root certificate on the Certification Path tab when viewing the .cab file's certificate:
Installing a DigiCert trusted root certificate
FlexNet Manager Suite library content .cab file digital signatures currently use the "DigiCert Trusted Root G4" root certificate.
If this root certificate is not already trusted by your batch server, the certificate in PEM file format can be downloaded from DigiCert's website at https://www.digicert.com/digicert-root-certificates.htm.
Once downloaded, the certificate should be installed (aka "imported") to the Trusted Root Certification Authorities > Certificates folder for the "Local Machine" (all users).
Consult your server administrators or information published by Microsoft about how to install a trusted root certificate in your environment and for your specific operating system. This will often involve using the Windows Certificate Manager tool.
Additional causes and considerations
In some cases, although not as common, the "Failed to verify the digital Signature of file” error can also be caused by the CAB failing to fully download.
Verifying the CAB download
To verify whether the CAB file used for delivering FlexNet Manager Suite library content has downloaded, you can compare the MD5 hash by:
- Download the relevant .cab file and save/copy it to the batch server. For example, the Application Recognition Library file can be downloaded from here.
- Open an Administrative PowerShell terminal
- Change directory to where the CAB file is saved and run
Get-FileHash ‘RecognitionAfter82’ -Algorithm SHA1 | Format-List
- Open the PLC and navigate to FlexNet Manager Platform Content Libraries under FlexNet Manager Platform
- Expand the associated CAB by pressing the + icon and compare the MD5 hash
If the MD5 hash does not match, the file has failed to fully download, and this is usually caused by an interruption to the network or a proxy / load balancer being present in the environment.
