I just verified that the10.7.3 Supplemental update download from Apple has been updated and the SHA-1 of the download no longer matches the SHA-1 in the TEM Fixlet (ID: 1070301).
I assume all the other 10.6 & 10.7 fixlets for Apple patches have the same issue.
These Mac update fixlets need to be revised as these fixlets no longer work.
The problematic Fixlet for “Mac OS X 10.7.3 Supplemental Update” has been updated in site version 239. The sha1/size issue you encounter for this Fixlet was due to Apple updating the patch, but they did not update this information in the download page, which was why we did not know about it until you reported it.
As for the certificate issue, JDCampbell already explained it in his post.
The update to the signing certificate does not impact the updates managed through the TEM content. This certificate update only impacts communication between local software update servers and the Apple software update server. The sha1 mismatch you encountered was due to a change that Apple made to that particular content. An update to that Fixlet is being tested now and we expect it to be released before the end of the day.
This is incorrect. TEM uses the Apple command line utility “installer”.
It will fail when trying to install one of the packages with the expired certificate.
Apple has re-signed and reissued the non-superseded updates for 10.6 and 10.7 prior to March 23 signed with the old certificate. All of the SHA1s will have changed for these updates.
Here is just one example:
Security Update 2012-001 (Snow Leopard) v1.1 from Apple: SHA1 15cd1853a015b770b28aa65e39501d2b4ff3f4ec
The TEM fixlet has the old update: SHA1 29218a1a28efecd15b3033922d71f0441390490a
And even if the update is already cached installation WILL FAIL due to the expired cert.
Here is a blog post that should help you understand the problem better: