Error: One of the files in the setup has an invalid certificate. C:\Program Files\Blackbaud\The Raisers Edge 7\Deploy\BBPatch.exe. Invalid or no signature. when installing a patch on a workstation

When attempting to install a patch on workstation(s), the following errors may occur in succession:
  • Error: One of the files in the setup has an invalid certificate. File: C:\Program Files (x86)\Blackbaud\The Raisers Edge 7\Deploy\Patch\BBPatch.exe. Invalid or no signature. (64-bit operating systems),  OR 
    Error: One of the files in the setup has an invalid certificate. File: C:\Program Files\Blackbaud\The Raisers Edge 7\Deploy\Patch\BBPatch.exe. Invalid or no signature. (32-bit operating systems)
  • Error: The installation of the patch has failed (ErrorCode = 1602).
This issue can be caused by a workstation not being able to connect to a Certificate Authority to validate the certificates and see if they have expired.  

To confirm that the above issue exists for the digital certificates for the BBPatch.exe and PatchPackage.msp files, complete the following steps:
  1. Navigate to the deploy folder.
  2. Open the Patch folder. 
  3. Right-click on the file BBPatch.exe and choose Properties. 
  4. Select the Digital Signatures tab. 
  5. In the Signature list, select the Blackbaud, Inc. signer and click Details button.
  6. On the General tab of the Digital Signature Details window, the status should say "One of the countersignatures is not valid. The file may have been altered".
  7. In the Countersignatures section, highlight the Symantec Time Stamping Services Signer-G4 entry and click Details button.
  8. On the General tab for the Symantec Time Stamping Services Signer - G4 Digital Signature Details, the status will have a red X with the words "The operation completed successfully".  
  9. Click on the View Certificate button.
  10. On the General tab under Certificate Information, there will be a message saying, "The timestamp signature and/or certificate could not be verified or is malformed".
  11. Select the Details tab, scroll down until you see Extended Error Information in the Field column.
  12. In the Value column, you should see this message, "Revocation Status: The revocation function was unable to check revocation because the revocation server was offline." 
  13. Repeat steps 1 - 12 for the PatchPackage.msp file, if desired.

If after completing the above steps, you see that the digital certificates are NOT OK and contain the messages as described, then complete the following:
  • Have your IT staff review the domain group policies, proxy server settings and firewall settings to see what is in place in your environment that is preventing the workstation from connecting to a Certificate Authority to validate the certificates. For the firewall, the Symantec Time Stamping Service needs to be allowed so that the workstations are able to verify the certificates.  These tasks are best performed by IT staff such as network and system administrators.  Please contact the appropriate software vendor or IT professional for assistance with this process or issue, which is beyond Blackbaud's scope of support.

Alternative Solution:

If the domain group policy, proxy server or firewall settings cannot be changed or there is difficulty in finding which settings to change, then complete the following steps as a workaround:
  1. Log onto the workstation with a domain Windows account that has access to the Deploy folder on the server.  
  2. Navigate to the Deploy folder on the server.
  3. Copy the entire Deploy folder that is on the server locally to the workstation such as to the Desktop.
  4. Log off the workstation with the domain Windows account.
  5. Log onto the workstation with a local (not domain) Windows account such as the Administrator account.
  6. Navigate to the location on the workstation where the Deploy folder was copied.
  7. Open the Deploy folder.
  8. Open the Patch folder within the Deploy folder.
  9. Run the BBPatch.exe file on the workstation to install the patch on the workstation.
  10. Log off the workstation with the local Windows account.
  11. Log back onto the workstation with a domain Windows account.
  12. Launch The Raiser's Edge shortcut on the Desktop and log into The Raiser's Edge.
  13. Go to Help\About The Raiser's Edge to verify that the patch has been applied to The Raiser's Edge and is the same patch as is on the server.
  

Environment

 7.92.5508 patch 9

Was this article helpful?