Updated on: February 18, 2015

We have added more information on the versions affected by this issue, and added the text of the error message.

Summary

Moka5 has discovered that some Windows Player and Creator versions did not include a verified timestamp. A timestamp is used to validate the application signature after the signing certificate has expired.

Without this timestamp, affected versions of Moka5 Player and Creator on Windows will not launch after our signing certificate expires on February 2 or 3, 2015.

Moka5 4.2, and the 4.1.5 and 4.0.7 patches, resolve this issue. An interim workaround is available for customers who have not applied these patches.

Applies to

• 4.1.4 - 4.1.2 Player and Creator on Windows hosts
• 4.0.6 - 4.0.2 Player and Creator on Windows hosts
• 3.19.4 Player and Creator on Windows hosts

This issue may also appear on older versions of Moka5. These versions are no longer generally supported. To resolve this issue, upgrade to Moka5 4.2, 4.1.4, or 4.0.7.

Alternately, apply the configuration change documented below under Host Script Workaround or Manual Workarounds.

Table of Contents

Issue Description
When will my certificate expire?
Resolution
Host Script Workaround

Issue Description

Moka5 has discovered that some Windows Player and Creator versions did not include a verified timestamp. A timestamp is used to validate the application signature after the signing certificate has expired.

Without this timestamp, affected versions of Moka5 Player and Creator on Windows will not launch after our signing certificate expires.

When will my certificate expire?

Depending on the time zone where your deployment is based, your certificates may expire on February 2 or February 3, 2015.

The certificate was issued February 2, 2012, at 1:34 PM (GMT-08:00), and will expire three years after it was issued. Affected Player and Creator versions will fail to launch at your local time zone's equivalent of 1:34 PM (GMT-08:00).

Note: This time is based on Creator and Player time, not on the Management Server time. If you have users in multiple time zones, their Players will lock at different times.

After this deadline, affected Player and Creator versions will fail to launch and display the following error: "There is possible host corruption. Please contact your system administrator."



This issue is resolved in Moka5 4.2 and the 4.1.5 and 4.0.7 patches.

Resolution

Moka5 4.2, 4.1.5, and 4.0.7 are properly signed and timestamped. Download these patches from the Customer Support Portal.

Customers should upgrade affected Windows hosts to 4.2, 4.1.5, or 4.0.7 to resolve this issue. No functional changes are included in these patch releases. The only change will be the verified timestamp and application signature.

Host Script Workaround

We recognize that it may be difficult to upgrade affected Windows clients quickly, so we have created a host script workaround that will permit affected Player versions to launch even after the signing certificate expires on February 2 or 3, 2015.

Important: Host scripts do not execute on Creator hosts, so you must apply the change manually on Creator systems.

For some customers, it may be quicker to deploy the workaround than to deploy an updated Client Pack; however, we strongly recommend that you apply the 4.2 upgrade, or either the 4.0.7 or 4.1.5 patch as soon as possible to resolve the issue.

The host script workaround adds a DWORD entry, AuthdNoSignatureCheck, to the following registry key:

On 32-bit Windows hosts:

• "HKEY_LOCAL_MACHINE\SOFTWARE\mokafive\LivePC Engine”

On 64-bit Windows hosts:

• "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mokafive\LivePC Engine”

The entry has a value of “1.” Adding this entry allows Player to launch even after the certificate expires, but does not affect Player, LivePC, or user data in any other way.

Updating the Player registry key via a host script

A host script is available that will set a Moka5 registry key to permit affected Player installations to launch even after the signing certificate expires.

Download the host script here.

Deploying the host script

1. Add the host script to your deployment by following the instructions in “Run host scripts on Mac or Windows host computers.”
2. Deploy a Player update to distribute the host script to your end users.
3. When the user is prompted and accepts the Player update, Player will close and apply the update.
4. When the update completes, the user will be prompted to re-launch Player.
5. When the user re-launches Player, the host script will display a notification.
   
6. The end user clicks OK.
7. A Windows User Account Control prompt appears. The end user accepts it. If the user is not logged in as an Administrator, they will be prompted to enter Administrator credentials in the User Account Control notification.
   Note: Users on Windows XP hosts will not see a User Account Control notification.
8. The host script runs, adding the registry key entry.
9. After the host script runs, Player launches.

Changing the host script text

You can modify the text the host script displays. For example, you can add a phone number for your Help Desk.

To modify the host script text:

1. Open the host script directory.
2. Locate and open notice.txt. This file contains the text displayed by the host script.
3. Make changes to the text up to 2 MB in size.
4. Save notice.txt.
   Important: Do not save notice.txt with a different name.

Adding the host script to an existing bundle

If you're already using host scripts, you can add this functionality by adding the contents of the .zipped host script directory to your host script bundle and modifying your existing tasks.xml to add the new host script’s data to the file.

The new tasks.xml should look like this:

<?xml version="1.0" encoding="UTF-8" ?>
<tasks> </tasks>

Viewing which users have applied the registry key change

You can query your SQL database directly for information on which LivePCs have run the host script successfully, unsuccessfully, or not at all.

Querying the SQL database

1. Connect to the SQL Server via the SQL Management Studio. Note: You may need to install the SQL Management Studio.
2. Right-click on the database you wish to query and select New Query.
   
3. A new window opens. Paste in the text below and click Execute.

Use the following query for a 4.0 Management Server:
SELECT
U.USER_ID as 'User ID',
U.LAST_NAME as 'Last Name',
U.FIRST_NAME as 'First Name',
P.PROPVALUE as 'EXEC_RETURN_CODE',
D.USER_ASSIGNED_NAME as 'Host Info',
D.VERSION as 'M5 Player Version',
D.SERIAL as 'Host Serial',
D.OS_MAKE as 'Platform',
D.OS_MODEL as 'Version',
D.OS_BITWIDTH as 'x32/x64',
dateadd( SECOND, D.LAST_HEARD_FROM/1000, '1970-1-1' ) as 'M5 Player Last Check In',
D.DEVICE_ID as 'Device Id',
U.EMAIL
FROM
DIR_USER_REF as U JOIN DEVICE as D ON D.USER_ID = U.SUBJECT_ID
AND D.STATUS = 0
AND D.OS_MAKE = 'WINDOWS'
LEFT OUTER JOIN ENDPOINT_PROP as P ON D.DEVICE_ID = P.EXTERNALID
AND P.NAMESPACE = 'hostscript-disable-signature-check'
AND P.PROPKEY = 'EXEC_RETURN_CODE'
AND P.PROPVALUE = '0'
ORDER BY EXEC_RETURN_CODE DESC, D.LAST_HEARD_FROM DESC

Use the following query for a 4.1 or 4.2 Management Server:
SELECT
U.USER_ID as 'User ID',
U.LAST_NAME as 'Last Name',
U.FIRST_NAME as 'First Name',
P.PROPVALUE as 'EXEC_RETURN_CODE',
D.USER_ASSIGNED_NAME as 'Host Info',
D.VERSION as 'M5 Player Version',
D.SERIAL as 'Host Serial',
D.OS_MAKE as 'Platform',
D.OS_MODEL as 'Version',
D.OS_BITWIDTH as 'x32/x64',
dateadd( SECOND, D.LAST_CHECKED_IN_AT, '1970-1-1' ) as 'M5 Player Last Check In',
D.DEVICE_ID as 'Device Id',
U.EMAIL
FROM
DIR_USER_REF as U JOIN DEVICE as D ON D.USER_ID = U.SUBJECT_ID
AND D.STATUS = 0
AND D.OS_MAKE = 'WINDOWS'
LEFT OUTER JOIN ENDPOINT_PROP as P ON D.DEVICE_ID = P.EXTERNALID
AND P.NAMESPACE = 'hostscript-disable-signature-check'
AND P.PROPKEY = 'EXEC_RETURN_CODE'
AND P.PROPVALUE = '0'
ORDER BY EXEC_RETURN_CODE DESC, D.LAST_CHECKED_IN_AT DESC

The result appears in the Messages panel. In the EXEC_RETURN_CODE column, a result of 0 indicates that the host script has executed successfully, and a result of NULL indicates that the host script has not yet run. Any other result indicates failure.

For more information, read this section of our Knowledge Base article on host scripts.

Moka5 4.1.5 and 4.0.7: Removing the registry key via a host script

Once you have uploaded the 4.1.5 or 4.0.7 Client Pack to your Management Server, you can add the host script that removes the AuthdNoSignatureCheck registry key. This host script is called “Enable Signature Check.”

Download the host script here.

Important: For the best user experience, target the new host script and 4.1.5 or 4.0.7 Client Pack to your Windows users at the same time. Targeting the new Client Pack and modified host script simultaneously allows you to distribute all changes to your users in one Player update.

If the only host script you are using is the Disable Signature Check host script, replace it by uploading the Enable Signature Check script to the Management Server.

Alternatively, if you have deployed a host script bundle, update the file to
include the Enable Signature Check host script.

Important: When you update your host script bundle, remove the information for the Disable Signature Check host script.

Example:
Before the upgrade, your tasks.xml includes the Disable Signature Check host script:

<?xml version="1.0" encoding="UTF-8" ?>
<tasks> </tasks>

After updating the host script bundle with the Enable Signature Check host script's tasks.xml information, your tasks.xml should look like this:

<?xml version="1.0" encoding="UTF-8"?>
<tasks> </tasks>

Upload the new host script bundle to the Management Server.

After applying the patch and updating your host script or bundle, target the update to your Windows users.

1. Log in to the Moka5 Management Console with a Desktop Administrator account.
2. In Policies > Player Policies, target the 4.1.5 or 4.0.7 Player version and the host script or bundle to Windows users.
3. Click Save Changes to deploy the update.

Important: Only click Save Changes once, after targeting both the Client Pack and the host script. If you save twice, you will deploy two updates to your users.

For more information on using host scripts on Mac and Windows hosts, read our Knowledge Base article.

Manual Workarounds

Important: Host scripts do not run on Creator. You must use a manual workaround on affected Creator hosts.

Updating the Player or Creator registry key manually on an affected host

You can manually update Creator or Player by setting the registry key on an affected host. Downloading and executing a .bat file locally will set the registry key and allow Player and Creator to launch.

Download the .bat file here.

1. Right-click the .bat file and select Run as Administrator.
2. The .bat file will add the registry key entry to your host, and Creator or Player will be able to launch.
3. Confirm that the .bat file ran successfully by opening the registry editor and navigating to the directory where the registry key is stored.
   On 32-bit Windows hosts:

   • "HKEY_LOCAL_MACHINE\SOFTWARE\mokafive\LivePC Engine”

   On 64-bit Windows hosts:

   • "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mokafive\LivePC Engine”

4. The registry key will display in the directory.

Moka5 4.1.5 and 4.0.7: Removing the registry key from an affected host

If you set the registry key on Player or Creator using the .bat file in “Updating the Player or Creator registry key directly on an affected host,” you can remove it by running another .bat file on the same host.

Download the .bat file here.

1. Right-click the .bat file and select Run as Administrator.
2. The .bat file will remove the registry key entry from the host.
3. Confirm that the .bat file ran successfully by opening the registry editor and navigating to the directory where the registry key was stored.
   On 32-bit Windows hosts:
   • "HKEY_LOCAL_MACHINE\SOFTWARE\mokafive\LivePC Engine”
   On 64-bit Windows hosts:
   • "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mokafive\LivePC Engine”
4. The registry key will no longer appear in the directory.

Moka5 4.1.5 and 4.0.7: Re-enabling Player or Creator with a new client installer

Alternatively, when they become available, you can run the Moka5 4.1.5 or 4.0.7 client installer directly on an affected Windows host.

This solution corrects the issue without the use of a host script or .bat file.

1. If a LivePC is running on the affected host, shut down the LivePC.
2. Exit Player by right-clicking on the Moka5 logo in the system tray and selecting Exit.
3. Download the 4.1.5 or 4.0.7 installer from the Customer Support Portal.
4. Run the installer on the affected host. The installer will prompt you to upgrade to 4.1.5 or 4.0.7.
   
5. Launch Player.

Upgrading to 4.1.5 or 4.0.7 does not require a host restart, and will not affect the user's LivePC or personal data.

FAQ

When will 4.1.5 and 4.0.7 be released?

4.1.5 and 4.0.7 are available now. Download them from the Customer Support Portal.

Alternatively, upgrade to Moka5 4.2.

What if users do not apply the host script workaround or upgrade their Player version before the certificate expires on February 2 or 3, 2015?

Users that have been unable to workaround or resolve the issue before the certificate expires can use the manual workaround. Once the manual workaround is applied, users will be able to launch Player successfully.

How do I revert the registry key change once the issue has been resolved by 4.1.5 and 4.0.7?

A host script is available for 4.0.7 and 4.1.5 users to revert the registry key change. To minimize disruption to end users, administrators can deploy the removal host script in the same Player update that upgrades affected hosts to 4.1.5 or 4.0.7. Read about how to use the host script here.

How did this issue occur?

A change to our build system resulted in some Windows Client Packs being released without verified timestamps.

What is Moka5 doing to ensure this does not happen again?

We have implemented build process governance changes so that future modifications to the build process are more carefully audited. We have also expanded QA to include additional testing around timestamps and signature checks to ensure that a signature with a valid timestamp is included on all released components.