Unable to Update GlobalProtect App Due to Corrupt Signature
13015
Created On 11/04/20 18:04 PM - Last Modified 05/29/25 03:16 AM
Symptom
- Unable to upgrade GlobalProtect App
- Notice the following error within the PanGPS.log file or something similar in the WebUI system logs:
(T10256)Error( 165): 05/21/20 23:35:03:335 The file C:\Users\hellc\AppData\Local\Temp\_temp19536.msi is not signed or corrupted
(T10256)Error( 634): 05/21/20 23:35:03:335 file did not signed by us, return now
(T10256)Error( 634): 05/21/20 23:35:03:335 file did not signed by us, return now
Environment
- GlobalProtect Infrastructure deployed
- Windows AD environment
- GlobalProtect App
Cause
This issue can be caused by multiple reasons, but in this particular scenario the issue is being caused by an incorrect DNS entry for the GlobalProtect Portal
Resolution
- In this particular scenario, 2 separate DNS entries are used for their Portal's FQDN resulting in different responses when connected rather than disconnected: eg connected (10.*) and disconnected (12.*)
- During the upgrade process, the Portal's IP address must resolve to the same IP address that's included in the config file which was the private internal address (10.*) rather than the external public IP address (12.*)
Note: This is a snippet from the tech support file retrieved from the Portal Firewall:
<global-protect-portal>
<entry name="PDX-VPN">
<portal-config>
<local-address>
<ip>
<ipv4>10.50.51.2/29</ipv4>
</ip>
<interface>ethernet1/1</interface>
</local-address>
- Each upgrade attempt while outside of the network resulted in a failure stating the file was not signed or corrupt within the PanGPS.log file as shown below:
(T10256)Info ( 604): 05/21/20 23:35:03:332 #### updater started, command is C:\Users\hellc\AppData\Local\Temp\_temp19536.msi
(T10256)Debug( 39): 05/21/20 23:35:03:332 try verify file C:\Users\hellc\AppData\Local\Temp\_temp19536.msi
(T10256)Error( 165): 05/21/20 23:35:03:335 The file C:\Users\hellc\AppData\Local\Temp\_temp19536.msi is not signed or corrupted
(T10256)Error( 634): 05/21/20 23:35:03:335 file did not signed by us, return now
(T10256)Debug( 39): 05/21/20 23:35:03:332 try verify file C:\Users\hellc\AppData\Local\Temp\_temp19536.msi
(T10256)Error( 165): 05/21/20 23:35:03:335 The file C:\Users\hellc\AppData\Local\Temp\_temp19536.msi is not signed or corrupted
(T10256)Error( 634): 05/21/20 23:35:03:335 file did not signed by us, return now
- We confirmed the md5 checksums matched between the temporary file on the user's machine and what's pushed from Palo Alto Networks update server for the versions, but when attempting to launch the file it populated a 404 error as shown below as:
- This issue of url resolving to separate IP's was noticed when attempting to trigger the download process manually by navigating to https://<portal’s ip or fqdn>/global-protect/getmsi.esp
- The issue was resolved after modifying the DNS to have the Portal using the public IP address only (external 12.* IP address). GlobalProtect App upgrade was now completed without issue.
Additional Information
- For additional information regarding the full configuration of GlobalProtect and its components, please refer to the following document: GlobalProtect Admin Guide