Mostly OS X Admin Related
Tag Archives: adobe
Which led to a discussion of why one serial number was better than the other, including asking “How does one know when their Creative Cloud Enterprise serial number is going to expire?” For those with sufficient rights to the Adobe Licensing Website, the code (for example “SN184”) is available there:
But what this code meant was unclear. A couple of quick searches led to this post by Alister Black on Adobe’s discussion forums:
> So the SN184 key expires in (April?) 2018?
This caused me to reach out to our Adobe rep for clarification:
> For colleagues who have serial numbers such as SN194, SN201,
> SN213–those would be Q4 2019, Q1 2020, and Q3 2021,
Yes. And note that our FY begins on December 1st. SN194 = November 30, 2019
Serial numbers designated in the licensing website with a “SNYYQ” designation expire at the end of the quarter designated by “Q” and the year that ends with the last two digits designated by “YY”, keeping in mind that quarters are calculated using Adobe’s fiscal year which starts on December 1.
If the currently-installed serial number will soon expire, users will be notified with a warning similar to this (thanks to Chris Helming on MacAdmins Slack for the screenshot):
Also note it seems to be a rule of thumb that serial numbers expire about one year after the end of the Creative Cloud for Enterprise agreement, which seems to be a gracious amount of time to allow for a new agreement to be hammered out.
Recently Adobe ended a licensing agreement with Dolby, “moving to native Operating System (OS) support for Dolby Digital decoding (reading Dolby files) and…no longer provid[es] support for encoding (writing) Dolby Digital and Dolby Digital Plus sound formats in the current and future releases of Creative Cloud.” Adobe will now rely on native OS decoding of Dolby media for playback (supported by OS X 10.11+ or Windows 8.1+) and the ability to create Dolby media will be removed. As a result some versions of some Creative Cloud software titles are no longer available, and as of November 3, 2017 the following professional titles are affected:
- After Effects CC 2015.3 and 2017
- Audition CC 2014, 2015, 2015.2, and 2017
- Media Encoder CC 2014, 2015, 2015.3, and 2017
- Prelude CC 2014, 2015, 2015.4, and 2017
- Premiere Pro CC 2014, 2015, 2015.3, and 2017
These titles are no longer available for Enterprise packaging via the Creative Cloud Packager or the Admin Console Cloud Packager. The CC 2017 versions of the applications do seem to be available via the Creative Cloud Desktop App (CCDA), however these CC 2017 titles appear to have been revised to no longer include Dolby software.
This change may create issues for customers–if a package for an appropriate version of a particular title has not been previously built (i.e. from either the Creative Cloud Packager or the Admin Console Cloud Packager), it may not be possible to install that software. This complicates both new installations (such as installing the software on additional computers) and reinstallation (such as during troubleshooting or computer rebuild situations). Beyond this, if the CCDA is used to install newer versions of software, the default setting is to remove previous versions of that software title. It is reasonable that a later version of a piece of software would be installed for testing, however if issues were discovered it would be impossible to reinstall the earlier version and be able to access the full features of that previous version.
Regarding software installation, if it’s not possible to build the software installation packages required by your organization the only option is to reach out to Adobe support and request assistance.
Also note that if it’s not possible to build an installation package for a title, it’s also not possible to build an uninstallation package for that title. There are a few options for uninstallation:
- Software can be uninstalled by hand using the GUI uninstaller–although it doesn’t scale well, it is an option
- If the original uninstallation package (created when the installation package was created) is available, this would also work to uninstall the software
- If the title to be uninstalled uses a new-style “HyperDrive” package (“HyperDrive” package titles listed here) it is possible to uninstall the software via the command line
- The CC Cleaner Tool may be used to generate an XML file to uninstall software using the CC Cleaner Tool binary. Note the CC Cleaner Tool is a command-line binary plus a configuration file that needs to be generated on a computer that has the software installed that is wished to be removed. The CC Cleaner Tool is not a traditional macOS installation package and will require being integrated into a package to be used with most management systems. Also note it appears it is not possible to silently uninstall “all” products and suppress the CC Cleaner Tool EULA–all products that are desired to be uninstalled will need to be noted in “cleanup.xml” in order to bypass the EULA
- It may be possible to build a CCP “Uninstall ‘Package'” and modify the “AdobeCCUninstallerConfig.xml” configuration file to add additional products to uninstall. Note a CCP “Uninstall ‘Package'” is a command-line binary plus a generated configuration file–it is not a traditional macOS installation package and will require being integrated into a package to be used. Also note software installed using the older Adobe “RIBS”-based packages require “SapCode”, “Version”, “Leid”, “Platform”, “mediaSignature”, and “adobeCode” information in order to be successfully uninstalled. Obtaining this information will likely will require the assistance of Adobe support, and modifying a CCP “Uninstall ‘Package'” should be evaluated after trying the above CC Cleaner Tool option
- It also may be possible to contact Adobe support and ask to be provided the proper uninstall package
These installation changes due to shifting licensing are unfortunate, since it shifts a potentially significant burden onto the IT administrator. Hopefully in the future Adobe’s licensing folks will work with the Enterprise IT folks in order to have a smoother transition with additional documentation.
Update, 11:30 a.m. CST, 2/24/2017: Adobe has posted a KBase article about this and how it relates to Acrobat. Thanks to Blake Garner for letting me know. I’ve used the information in that article to update the list of affected Acrobat package revisions.
On February 21, 2017 at 1:42 p.m. CST a certificate used to sign some of Adobe’s older software titles expired. This causes some Adobe packages to fail–specifically packages that are, at their core, Apple-standard packages. These titles include the following:
- Acrobat Pro DC Classic updates before
- Acrobat Pro DC Continuous updates before
- Acrobat Pro XI updates before 11.0.17
- Acrobat Reader DC Classic updates before 15.006.30172
- Acrobat Reader DC Continuous updates before 15.016.20039
- Acrobat Reader XI updates before 11.0.17
- Edge Code .98
- Edge Inspect 1.5.486
- Edge Reflow .51
- Lightroom 5
- Muse CC 2014.2.1
- Muse CC 2014.3.2.11
- Scout 1.1.3
While administrators may not intentionally be installing the non-Acrobat titles any more, there definitely can be forgotten titles included in long-ago created Creative Cloud Packager (CCP) packages. If macOS rejects a package due to an expired signing certificate, it will cause the entire CCP package to fail and no software will be installed.
Curiously the Acrobat packages newer than the above affected versions are signed with the same expired certificate as the earlier packages, but still pass macOS’s security muster. It is unknown why this is the case.
Rejected Adobe signing certificate:
Accepted Adobe signing certificate:
Apple packages embedded in a CCP package can be found with “find”:
$ find "lightroom_5_namedlicense/Build/lightroom_5_namedlicense_Install.pkg/Contents" -name "*.pkg" lightroom_5_namedlicense/Build/lightroom_5_namedlicense_Install.pkg/Contents/Resources/Setup/LTRM5.6en_US/Adobe Photoshop Lightroom 5.pkg
Once found, the embedded packages can be checked one of two ways:
- By opening the embedded package in Installer and clicking the (sometimes invisible) padlock in the upper right-hand corner. Problematic packages will have their certificate marked as “This certificate has expired” (pictured above with the Acrobat Pro XI 11.0.10 Updater)
- By using the “pkgutil –check-signature” command. Problematic packages will be noted as “Status: signed by a certificate that has since expired” rather than “Status: signed by a certificate trusted by Mac OS X”:
$ pkgutil --check-signature "lightroom_5_namedlicense/Build/lightroom_5_namedlicense_Install.pkg/Contents/Resources/Setup/LTRM5.6en_US/Adobe Photoshop Lightroom 5.pkg" Package "Adobe Photoshop Lightroom 5.pkg": Status: signed by a certificate that has since expired Certificate Chain: 1. Developer ID Installer: Adobe Systems, Inc. SHA1 fingerprint: 9D 75 C9 20 01 4A 65 04 94 A7 63 95 E3 91 93 47 04 E8 57 DF ----------------------------------------------------------------------------- 2. Developer ID Certification Authority SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86 ----------------------------------------------------------------------------- 3. Apple Root CA SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60
I believe Adobe’s response to this issue will be one of the following:
- “Do not use the affected packages. They are old and have been supplanted by newer technology.” This response works for Scout, Edge Code, and other non-Acrobat packages
- “Migrate to the newest version of the affected software.” This response works for Acrobat and Lightroom packages
Options to handle this issue include:
- If this issue affects a CCP package with multiple titles, a replacement package will need to be built without the affected titles (or with updated titles, if available). There is no support for editing CCP package contents nor controls for a customized installation. If the CCP package contained more than one software title, now might be a good time to consider building individual packages for each individual application
- For Acrobat XI and DC flavors (including Reader), install the latest version
- For Edge Code, move to Brackets
- For Muse, move to Muse CC 2015 or later
- If continuing to use a package is unavoidable, expanding and then flattening the package has the side effect of removing the signature
To expand and flatten a package to remove the digital signature:
- First let’s verify the package doesn’t install properly
$ sudo installer -pkg "/Users/admin/Desktop/lightroom_5_namedlicense/Build/lightroom_5_namedlicense_Install.pkg" -target / Password: installer: Package name is lightroom_5_namedlicense installer: Installing at base path / installer: The install failed (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.)
- Then locate the embedded Apple package using the “find” command above
$ find "/Users/admin/Desktop/lightroom_5_namedlicense/Build/lightroom_5_namedlicense_Install.pkg/Contents" -iname "*.pkg" /Users/admin/Desktop/lightroom_5_namedlicense/Build/lightroom_5_namedlicense_Install.pkg/Contents/Resources/Setup/LTRM5.6en_US/Adobe Photoshop Lightroom 5.pkg
- And we can verify the signature is expired
$ pkgutil --check-signature "/Users/admin/Desktop/lightroom_5_namedlicense/Build/lightroom_5_namedlicense_Install.pkg/Contents/Resources/Setup/LTRM5.6en_US/Adobe Photoshop Lightroom 5.pkg" Package "Adobe Photoshop Lightroom 5.pkg": Status: signed by a certificate that has since expired Certificate Chain: 1. Developer ID Installer: Adobe Systems, Inc. SHA1 fingerprint: 9D 75 C9 20 01 4A 65 04 94 A7 63 95 E3 91 93 47 04 E8 57 DF ----------------------------------------------------------------------------- 2. Developer ID Certification Authority SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86 ----------------------------------------------------------------------------- 3. Apple Root CA SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60
- We can use “pkgutil” to “expand” the package
$ pkgutil --expand "/Users/admin/Desktop/lightroom_5_namedlicense/Build/lightroom_5_namedlicense_Install.pkg/Contents/Resources/Setup/LTRM5.6en_US/Adobe Photoshop Lightroom 5.pkg" "/tmp/Adobe Photoshop Lightroom 5.pkg"
- And delete the original, expired package
$ rm -rf "/Users/admin/Desktop/lightroom_5_namedlicense/Build/lightroom_5_namedlicense_Install.pkg/Contents/Resources/Setup/LTRM5.6en_US/Adobe Photoshop Lightroom 5.pkg"
- “Flatten” the expanded package with “pkgutil” back to the location of the original
$ pkgutil --flatten "/tmp/Adobe Photoshop Lightroom 5.pkg" "/Users/admin/Desktop/lightroom_5_namedlicense/Build/lightroom_5_namedlicense_Install.pkg/Contents/Resources/Setup/LTRM5.6en_US/Adobe Photoshop Lightroom 5.pkg"
- We can now check the embedded package is no longer signed
$ pkgutil --check-signature "/Users/admin/Desktop/lightroom_5_namedlicense/Build/lightroom_5_namedlicense_Install.pkg/Contents/Resources/Setup/LTRM5.6en_US/Adobe Photoshop Lightroom 5.pkg" Package "Adobe Photoshop Lightroom 5.pkg": Status: no signature
- Then test the edited package
$ sudo installer -pkg "/Users/admin/Desktop/lightroom_5_namedlicense/Build/lightroom_5_namedlicense_Install.pkg" -target / Password: installer: Package name is lightroom_5_namedlicense installer: Installing at base path / installer: The install was successful.