(UPDATED 1/17/2011) PGP WDE for Mac OS X Customers Upgrading to Mac OS X 10.6.5

Article:TECH149998  |  Created: 2010-11-10  |  Updated: 2011-06-27  |  Article URL http://www.symantec.com/docs/TECH149998
Article Type
Technical Solution


Issue




IMPORTANT: PGP Desktop 10.1.1 for Mac OS X supports OS update to Mac OS X 10.6.6

Symantec has released PGP Desktop 10.1.1 for Mac OS X. After installation of this update, PGP Desktop customers can safely update their OS version to Mac OS X 10.6.6. Note: PGP Desktop 10.1.1 does not roll up all PGP Desktop hot fixes and service packs that are currently in use.

As a result, a 10.1.1 upgrade may cause certain customers to regress on functions that they depend on. Symantec is proactively recommending that affected customers should NOT upgrade to 10.1.1 at this time. If you are an affected customer, you will receive a separate communication from Symantec support.

Issue Summary: If you had previously applied the PGP Desktop 10.1.0 HF1 or PGP Desktop 10.1.0 SP1 update to a pre-10.6.6 Mac OS X client and updated the OS to 10.6.6, you may have received an error message stating "The installation failed. Installer has encountered an error that caused the installation to fail". In fact, the OS update completed successfully. However, the HF1 and SP1 updates mark files in the helper partition with the immutable bit set, causing kextcache to fail and prompt the user on each subsequent boot with the message "kextcache does not match system kext". PGP Desktop 10.1.1 ensures the immutable bit is not set on any PGP file in the helper partition.
 



Prior to the release of 10.6.5, the PGP Engineering team tested every version of the early developer release of the update provided by Apple to the PGP Engineering team. No conflicts were found. However, we identified after the release of the upgrade that Apple's automated Software Update mechanism bypasses the protections the PGP Engineering team has put around the boot.efi file. This bypass allows the update to overwrite a critical file needed by PGP WDE when the machine reboots, rendering the system non-bootable after the update. Following the discovery of this issue, we re-verified that manual application of the 10.6.5 combo updater does not bypass these protections and is our recommended way to upgrade to 10.6.5.  The specific steps for upgrading with the combo updater are listed in the Detail Section below.

Users who encountered problems with updating via Apple's Software Update should follow the recovery steps listed at the end of this article.

If you are already running Mac OS X 10.6.5 there are no issues installing PGP WDE 10.0.2 and above. PGP WDE 10.0.2 and above is fully compatible with 10.6.5.

 

Update 12-20-2010: Symantec strongly recommends that all customers install the Apple OSX 10.6.5 update as soon as possible by following the steps in the Detail section below. This will prevent the accidental installation of 10.6.5 when the Software Update mechanism is used to upgrade other Apple products, such as iTunes or Safari.

Alternatively, customers can now apply a PGP Hotfix that completely addresses the issue.  This new client code protects and verifies the state of the boot.efi file even when Apple's automated Software Update mechanism attempts to bypass the client's protection of this file. Customers with supported versions of Mac OS X prior to 10.6.5 can apply this release to their PGP Desktop for Mac OS X clients and subsequently update the OS to 10.6.5 (or later) without encountering this issue.  The Hot Fix is available now by contacting Technical Support. However, Symantec will deliver a generally available maintenance release of PGP Desktop for Mac OS X that addresses the issue in January, 2011.

IMPORTANT: You must install this PGP Desktop release on the Mac OS X client and restart before you perform an OS X update. If you install this PGP Desktop release and update the OS at the same time (without restarting), the new client code will not run, rendering the machine non-bootable. 

If you choose not to apply the 10.6.5 update or the PGP Hotfix, do not click "Continue" to automatically accept new application updates when prompted by Software Update.  Instead, click the "Show Details" button and deselect the "Mac OS X Update" before clicking "Install Item(s)." 

 


Solution



 Recommended Upgrade Process

 

PGP Corporation recommends that you backup your computer before applying any PGP product or Apple OS X updates.

 

1. Upgrade to PGP WDE 10.0.2 or above.

2. Download the Apple OS X 10.6.5 combo updater from http://support.apple.com/kb/DL1324

3. Run the installer for 10.6.5 and reboot as prompted by the installer.

4. Download the script "PGPwdeEFIUpdate.tar" to your desktop.

5. Open Terminal and navigate to your desktop directory by typing "cd ~/Desktop" and pressing enter.

6. Type in the command "tar -xzpf PGPwdeEFIUpdate.tgz"

7. Type in the command "chmod 755 PGPwdeEFIUpdate.sh" and press enter.

8. Type in the command "sudo ./PGPwdeEFIUpdate.sh" and press enter.

  

Recommended Recovery Process

 

For customers who have already upgraded to 10.6.5 with PGP WDE encryption in place and thus are stuck in an unbootable state, we recommend booting from the PGP Recovery CD. The PGP Recovery CD image can be downloaded from the attachment section below.

Update: You will also need to download the script "PGPwdeEFIUpdate.tgz". This script makes a needed backup of the correct version of the boot.efi file, which is used should you ever choose to decrypt your WDE-encrypted startup disk. Note that this script will also set the currently running startup disk as the default for future system restarts.

If you have previously followed steps 1-3 in this recovery guide but have not yet run steps 4-7 it is critical that you do so.

Procedure:

  1. Boot the system using the PGP Recovery CD.
  2. When prompted, authenticate with your passphrase. DO NOT press D to decrypt. Press any key (e.g. spacebar) to boot into Mac OS X normally.
  3. Once logged into Mac OS X, PGP Desktop will automatically fix the boot issue and you should no longer need the recovery CD.

4. Download the script "PGPwdeEFIUpdate.tar" to your desktop.

5. Open Terminal and navigate to your desktop directory by typing "cd ~/Desktop" and pressing enter.

6. Type in the command "tar -xzpf PGPwdeEFIUpdate.tgz"

7. Type in the command "chmod 755 PGPwdeEFIUpdate.sh" and press enter.

8. Type in the command "sudo ./PGPwdeEFIUpdate.sh" and press enter.


 


Attachments

tar -xzpf PGPwdeEFIUpdate.tgz
PGPwdeEFIUpdate.tgz (1 kBytes)

Legacy ID



2288


Article URL http://www.symantec.com/docs/TECH149998


Terms of use for this information are found in Legal Notices