It turns out that we have an SCCM package containing Shockwave installer that was released after July 10, 2012. We are currently working on updating our SCCM packages with the latest version from Adobe. The FAQ suggests that it is NOT necessary to update existing users that already have installed and are running affected Adobe products.
- Please confirm that we do NOT need redploy to exisiting users with an updated Shockwave install package.
- When the affected certificate is revoked, what will be the behavior of SCCM packages that contain Adobe product installers signed with the affected certificate?
- The serial number of the affected certificate appears to also match the certificate serial numbers of installers that we obtained from Adobe prior to July, 2012. How is it that these products would NOT be affected while those released after July 10, 2012, with what appears to be the same certificate, ARE affected?
- For users that actually installed Shockwave prior to the signature being revoked, there is no impact - Shockwave will continue to function as expected and is signed with valid certificates.
- For users to have not yet installed, Shockwave, and the certificate has been revoked, when they install Shockwave via your SCCM packages, they will see a UAC security warning notifying them that the software published is "unknown". The user can continue and the install will complete but they will see this warning.
for your second point, can you share an example where you're seeing something signed prior to July 2012 with the same signature serial? you can email me directly - firstname.lastname@example.org