- Veeam Support Knowledge Base
- Veeam Agent for Microsoft Windows deployment fails with “Failed to call RPC function 'PckgCheckSignature'
Veeam Agent for Microsoft Windows deployment fails with “Failed to call RPC function 'PckgCheckSignature'
Cheers for trusting us with the spot in your mailbox!
Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest
Challenge
Info [UploadManager] Checking windows package 'C:\ProgramData\Veeam\Agents\VAW\Veeam_B&R_Endpoint_x64.msi' signature on host 'HOSTNAME'
Error Failed to call RPC function 'PckgCheckSignature': Signature of module 'C:\ProgramData\Veeam\Agents\VAW\Veeam_B&R_Endpoint_x64.msi' is invalid..
Error Signature of module 'C:\ProgramData\Veeam\Agents\VAW\Veeam_B&R_Endpoint_x64.msi' is invalid Error --tr:Failed to call DoRpc. CmdName: [PckgCheckSignature].Cause
Solution
To resolve this issue, you must install the trusted root or intermediate certificate in the certificate store of the target computer OS.
Note that the certificate name hints to where it must be stored:
- Root certificates must be installed in Trusted Root Certification Authorities.
- Intermediate certificates must be installed in Intermediate Certification Authorities.
Download and Install Missing Certificates
These steps must be performed on the machine where Veeam Agent for Microsoft Windows is failing to deploy.
- From the DigiCert certificate page, download the .crt file for the following Certificates:
- Download DigiCert EV Code Signing CA (SHA2)
(SHA1 Fingerprint:60:EE:3F:C5:3D:4B:DF:D1:69:7A:E5:BE:AE:1C:AB:1C:0F:3A:D4:E3)
- Download DigiCert High Assurance EV Root CA
(SHA1 Fingerprint:5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25)
- Download DigiCert Assured ID Root CA
(SHA1 Fingerprint:05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43)
- Download DigiCert EV Code Signing CA (SHA2)
- Double-click each of the downloaded .crt files.
- Click Install Certificate
- Select Local Machine and click Next
- Click Browse and place the certificates into the following stores:
- 'DigiCert EV Code Signing CA (SHA2)' goes in [Intermediate Certification Authorities]
- 'DigiCert High Assurance EV Root CA' goes in [Trusted Root Certification Authorities]
- 'DigiCert Assured ID Root CA' goes in [Trusted Root Certification Authorities]
More Information
To verify which CA certificate is needed to validate a signed msi installer, use the SigCheck utility from SysInternals to retrieve information about the certificate chain the msi was signed with.
For example, to view the certificate chain of the Veeam Agent for Microsoft Windows version 5.0 installer, run the following command on the Veeam Backup & Replication server:
sigcheck64.exe -a -i -h "C:\ProgramData\Veeam\Agents\vaw\Veeam_B&R_Endpoint_x64.msi"Expand to view Example Output
Sigcheck v2.80 - File version and signature viewer Copyright (C) 2004-2020 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\programdata\veeam\agents\vaw\Veeam_B&R_Endpoint_x64.msi: Verified: Signed Signing date: 2:22 PM 2/3/2021 Signing date: 2:22 PM 2/3/2021 Catalog: c:\programdata\veeam\agents\vaw\Veeam_B&R_Endpoint_x64.msi Signers: Veeam Software Group GmbH Cert Status: Valid Valid Usage: Code Signing Cert Issuer: DigiCert EV Code Signing CA (SHA2) Serial Number: 0F 6F 90 B4 1A F2 33 C6 4E 0A F6 F8 B3 E5 6D 26 Thumbprint: 43C940341257F3390612124531304E471905C80F Algorithm: sha256RSA Valid from: 5:00 PM 2/27/2019 Valid to: 5:00 AM 2/17/2022 DigiCert EV Code Signing CA (SHA2) Cert Status: Valid Valid Usage: Code Signing Cert Issuer: DigiCert High Assurance EV Root CA Serial Number: 03 F1 B4 E1 5F 3A 82 F1 14 96 78 B3 D7 D8 47 5C Thumbprint: 60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3 Algorithm: sha256RSA Valid from: 5:00 AM 4/18/2012 Valid to: 5:00 AM 4/18/2027 DigiCert Cert Status: Valid Valid Usage: Client Auth, Code Signing, Email Protection, Server Auth, Timestamp Signing Cert Issuer: DigiCert High Assurance EV Root CA Serial Number: 02 AC 5C 26 6A 0B 40 9B 8F 0B 79 F2 AE 46 25 77 Thumbprint: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Algorithm: sha1RSA Valid from: 5:00 PM 11/9/2006 Valid to: 5:00 PM 11/9/2031 Counter Signers: DigiCert Timestamp 2021 Cert Status: Valid Valid Usage: Timestamp Signing Cert Issuer: DigiCert SHA2 Assured ID Timestamping CA Serial Number: 0D 42 4A E0 BE 3A 88 FF 60 40 21 CE 14 00 F0 DD Thumbprint: E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3 Algorithm: sha256RSA Valid from: 5:00 PM 12/31/2020 Valid to: 5:00 PM 1/5/2031 DigiCert SHA2 Assured ID Timestamping CA Cert Status: Valid Valid Usage: Timestamp Signing Cert Issuer: DigiCert Assured ID Root CA Serial Number: 0A A1 25 D6 D6 32 1B 7E 41 E4 05 DA 36 97 C2 15 Thumbprint: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297 Algorithm: sha256RSA Valid from: 5:00 AM 1/7/2016 Valid to: 5:00 AM 1/7/2031 DigiCert Cert Status: Valid Valid Usage: Client Auth, Code Signing, Email Protection, Server Auth, Timestamp Signing Cert Issuer: DigiCert Assured ID Root CA Serial Number: 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39 Thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 Algorithm: sha1RSA Valid from: 5:00 PM 11/9/2006 Valid to: 5:00 PM 11/9/2031 Signing date: 2:22 PM 2/3/2021 Company: n/a Description: n/a Product: n/a Prod version: n/a File version: n/a MachineType: n/a
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
Spelling error in text
Thank you!
Your feedback has been received and will be reviewed.
Oops! Something went wrong.
Please try again later.
You have selected too large block!
Please try select less.
KB Feedback/Suggestion
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
Thank you!
Your feedback has been received and will be reviewed.