WAPT- (2018-03-28)


  • waptexit: Displays a custom PNG logo if one is created ib <wapt>templateswaptexit-logo.png
  • nssm.exe is signed with Tranquil IT code signing key.
  • waptconsole: Add locale and maturity columns in packages status grid
  • waptconsole: wapagent wizard; be sure to get a relative path when checking cert validity
  • waptsetup: Add /CopyPackagesTrustedCA and /CopyServersTrustedCA command line parameters to allow deployment of wapt with specific certificates with GPO for wapt without recompiling waptsetup.
    c:tmpwaptdeploy –hash=e17c4eddd45d34000df0cfe64af594438b0c3e1ee9791812516f116d4f4b9fa9 –minversion= –waptsetupurl=http://buildbot/~tisadmin/wapt/latest/waptsetup.exe –setupargs=/CopyPackagesTrustedCA=c:tmptranquilit.crt –setupargs=/ –setupargs=/ –setupargs=/repo_url= –setupargs=/waptserver= –setupargs=/DIR=c:wapt

Bug fixes

  • waptconsole: regression introduced in Unable to login if server has not a fully qualified domain name (FQDN)
  • setuphelpers : winstartup_info fallback when COMMON_STARTUP folder does not exist, repeventing a client to register properly.
  • version / revision in wapttray dispkay the git hash instead of old svn rev number.
  • waptconsole: update fr translation for certs bundle hint
  • waptconsole: compare properly packages when number of version members differs 1.3 -<> 1.3.1 for example

WAPT- (2018-03-27)

Bug fixes

  • Fix add ad groups
  • Fix newest only with locale, architecture and maturity
  • Fix Import from external with mixed locale, architecture and maturity
  • Add –setupargs to waptdeploy
  • RPM fix
  • Enterprise build fix (Enterprise)
  • Different icons for community and enterprise
  • Switch to Community features when no licence instead of aborting (Enterprise)
  • Some up to date Installed Packages marked as upgradable because of bad Comparison maturity None / maturity ‘’
  • Depends and conflicts fields of HostsPackagesStatus table limited to 800 chars -> type changed to ArrayField to handle unlimited number of dependencies
  • git python module added as part of wapt libraries
  • list organizational unit packages in Group package table (Enterprise)
  • fix mongodb to pg db upgrade script
  • fix licence / hosts count / expiry check (Enterprise)
  • relative path for verify_cert

Known issues:

  • When waptserver is search with DNS SRV query (dnsdomain param), Kerberos register auth is not working.

WAPT- (2018-03-13)

Global architecture

Multiple languages for description of packages. English, French, German, Spanish, Polish are handled as a start point. More to be added in the future…

The Description columns in waptconsole displays either languages depending on “language” waptconsole ini setting. In packages, description_fr, description_en, etc… have been added.

When renaming hosts, old host package (matching previous host uuid) is now “removed” instead of forgotten.

Add handling of organizational unit packages (Enterprise edition).

New package attributes:

  • “locale” attribute : A computer can be configured to accept only packages with a specific locale.
  • “maturity” attribute : stores status like “DEV”, “PREPROD”, “PROD” to describe the level of completion of the package. Computer can be configured to accept packages with specified maturities. Default packages maturity of computer is both the empty one and ‘PROD’.
  • “impacted_process” attribute : csv list of process names which would be killed before install (install_msi_if_needed, install_exe_if_needed) and uninstall (by th emean of uninstallkey list). Could be used too in the future for “soft” upgrade remote action which upgrade softwares while they are not running.

Setup / Wapt upgrades

Waptupgrade package :

  • Increased lifetime for upgrade task windows scheduler trigger for computers which are down for many days when upgrading
  • Added a trigger at start of the computer.


  • Displays the list of embedded trusted packages certificates when building the custom waptagent installer.

Bug fixes

  • handle unicode filepaths for Packages Wizard.
  • work in progress improvement of unicode handling globally in Waptconsole.
  • fix use proxy if needed for “download and edit” from external repo


  • fix bug in create_programs_menu_shortcut and create_user_programs_menu_shortcut. shortcuts were created in startup and not startup/programs

WAPT- rc1 (2018-03-08)

Global architecture

There is now some additional support for packages localization.

In Package control file, the description_fr, description_en, description_de, description_pl, description_es can be used to give description in respective french, english, german, polish languages.

If not set, the base description is used.


WAPT- (2017-11-16)

Global architecture

There is a significant internal change on how python libraries are managed inside WAPT. This has implications on the way python scripts are launched. This change is only relevant for people launching WAPT processes manually.

We have removed the (not clean) sys.path manipulations inside WAPT python scripts sources. The consequence is that all python scripts must be run with prior setting PYTHONHOME and PYTHONPATH pointing to WAPT home directory (/opt/wapt on Linux).

Failing to do so results in scripts claiming that libraries are missing.

On Linux waptserver, libs are now in the default /opt/wapt/lib/python2.7 location instead of using non standard former one.

  • [IMP] WAPT has its own full python environment for libraries, even when debugging. Before, system wide python27 installation was needed for PyScripter to run ;

    Now, PyScripter can be started with a special batch file waptpyscripter.bat which set set environment variables for python (PYTHONHOME and PYTHONPATH) and run pyscripter with python dll path set to wapt own copy.

  • [NEW] Command line scripts with proper environment:

    • wapt-serverpostconf on Linux server to start server;
    • wapt-scanpackages;
    • wapt-signpackages;
  • [NEW] Added some debugging commandline tools which setup python environment properly before running the python script:

    • to debug waptservice, launch in cmd as admin: runwaptservice.bat;
    • to debug waptserver, launch in cmd : runwaptserver.bat or under linux :;
    • to launch pyscripter without the need for local system wide python27 install, run waptpyscripter.bat;

WAPT client

  • [ADD] local wapt-get.ini settings “packages_whitelist” and “packages_blacklist” to restrict accepted packages from repository based on their package’s name;
  • [IMP] More detailed reporting off host’s repositories configuration (now includes dnsdomain, proxy, and list of trusted certificates);
  • [FIX] Force packages db update if host when host configuration is changed. For example if new trusted package certificates are added or if allowed packages rules are changed;
  • [NEW] Handle AD Organizational Unit WAPT packages (Enterprise edition);
  • [IMP] Fallback to basic auth when a host is registering on waptserver if kerberos is enabled but authentication fails;
  • [IMP] for wapt-get.exe, allow to designate configuration wapt-get.ini file with --config option with base name of user waptconsole ini file (without ini extension) instead of full path. Handy when switching between several configurations. Same behaviour as for waptconsole. Example: wapt-get -c site3 build-upload c:waptdevtest-7zip-wapt;
  • [FIX] Be sure to not loop for ever in websockets retry loop if something is wrong in host waptserver or websocket configuration;
  • [FIX] Update PyScripter project template to use project directory as parameter for debug actions, and use relative paths for filenames;
  • [FIX] Fix bad package version comparison. Return True when comparing 1.2-1 to 1.2.1-3 (note: this is not homogeneous with the Version() class behaviour. todo: merge both);
  • [FIX] utf8 handling for control attributes in host packages;
  • [FIX] waptsetup: register and update must be launched with elevated priviledges. So remove runasoriginaluser option;
  • [NEW] Introduced attributes target_os and impacted_process for package’s control file. They are not yet taken in account;
  • [NEW] Introduced machinery to handle X509 client certificates authentication for repositories and waptserver (specially for public servers);
  • [NEW] Introduced classes to generate X509 CRL;


  • [UPD] setuphelpers.removetree: Try to remove readonly flag when remove_tree reaches an Access Denied error. Default remove_tree error;
  • [FIX] unicode handling in shell startup shortcuts;
  • [IMP] waptutils.wget can check sha1 or sh256 hashes in addition to md5, and can cache and resume partial downloads;

WAPT Console

  • [NEW] Action in Waptconsole to plan in near future a restart of waptservice on selected Hosts;
  • [IMP] Mass host update/upgrade in waptconsole actions are now launched in single shot instead of one host at a time;
  • [NEW] Allow to force a host_dn in wapt-get.ini when host is not in a domain (Enterprise edition);
  • [NEW] Add timeout parameter for setuphelpers service_start service_stop and service_restart;
  • [IMP] Group filter list box is now editable, and one can type a partial group match and press enter to filter on all matching groups. Seperator is comma. Handle * at the end of search to force to find all occurences even if one group matches exactly;

WAPT Server

  • Add bat script migrate-hosts.bat to set environment for

  • Add script to trigger action on pre 1.5 hosts with reachable 8088 waptservice port from 1.5 server.

  • Fix registration_auth_user reset to None when reusing host certificate for re-register.

  • Removed unnecessary dependencies krb5-user, msktutil, python-psutil for waptserver package.

  • Increase client_max_body_size for http post on nginx for large update / upgrade trigger

    • fix signature_clockskew waptserver config parameter not taken in account;
    • unified loggers for server;
    • have waptserver ask wapt client to update status using websockets if websocket connection is up but database is not aware of given SID (case where waptserver is restarted but Nginx is kept up, and restart of waptserver service is fast enough to not trigger a reconnection of the clients);
  • [FIX] Disable proxy for migrate-hosts;

Known issues

  • waptservice: if a system account level http proxy is defined in registry on the windows host, websocket client library tries to use it and fails to connect to the server. Workaround: make an exception for waptserver;

  • waptconsole: if a http proxy is defined in waptconsole.ini, section [global], key http_proxy, it is used by the waptconsole even if setting use_proxy_for_xxx is False Workround: set http_proxy to an empty string in waptconsole.ini;

  • when using a not self-signed personal certificate, depending of th issuer, the certificate file <private_dir>mine_cert.crt can contain the full chain (own certificate, intermediate CA, and root CA). When waptconsole asks if the certificate should be put in authorized client certificate directory (<wapt-dir>ssl), the full crt file is copied as this. This means that all certificates in crt file are authorized, and not only the personal one. This is perhaps not desired;

    Workaround: check if the personal pem encoded crt file contains the full certificates chain. If this is the case, copy in <wapt-dir>ssl only the parts of the PEM file matching the certificates you want to trust;

  • [FIX] SNI is not properly handled by waptconsole code, leading to incorrect error about certificate validation on HTTPS server with virtual hosts;

  • [ADD] certificates CRL updates (periodical signature, …) must be managed manually using tools like easy-rsa. Only CRL accessible by a URL are supported;

  • proxies are not supported on the server, so CRL can not be updated properly (as far as Distribution Point is defined in certificates) if the server has no direct http access to the distribution points;

  • https certificates are verified on the clients using the bundle defined by the verify_cert ini settings. If this setting is simply True, the bundle supplied with python libraries is used to check issuers. This bundle is not updated unless WAPT is upgraded, so new issuers or no more trusted issuers are taken in account only at this point. So it is better to deploy your own CA bundle along with wapt and define the verify_cert path.

  • for rc1, on the linux server, there are broken symbolic links in lib/python2.7 folder. Next rc does not exhibit this problem;

WAPT- (2017-11-16)

  • [IMP] historize in wapt_localstatus database table the dependencies and conflicts of installed packages (to provide an easy way to warn when conflicting package should be installed or should be removed);
  • [FIX] load full certificate chain from host packages to check the signature of the control file (as it is the case for other types of packages);
  • [FIX] regression: check host package control signature right after downloading (it is checked too when starting install);
  • [FIX] regression: do not install host package if version is lower than installed one;
  • [FIX] do not raise an exception during session-setup if package has no;

WAPT Client

  • [FIX] fix intermediate Certificate Authority pinning: allows to deploy intermediate AC as authorized AC without root AC (segragation of rules between entities);
  • [FIX] old style print statement (without parentheses) raising an error in setup-session or uninstall functions;

Setuphelpers / libraries

  • [UPD] Add cache_dir parameter to wget function;
  • [UPD] renamed cabundle parameter to trusted_bundle;
  • [NEW] Add python methods to create certificate from CSR;

WAPT Console

  • [NEW] add checkbox when creating the waptagent to sign with sha1 in addition to sha256 to more easily upgrade WAPT agents to 1.5;
  • [NEW] force host package version to be at least equal to already installed host package (when host package is deleted, version was starting again at 0);
  • [FIX] regression: check existing host package signature before editing it;

WAPT Server

  • [FIX] Force waptserver DB structure upgrade at each server startup;
  • [UPD] Add db_connect_timeout parameter for pool of waptserver DB connections;
  • [NEW] Store depends and conflicts attributes in waptserver HostPackagesStatus PotsgreSQL table;

Known issues

  • [FIX] SNI is not properly handled by waptconsole code, leading to incorrect error about certificate validation on HTTPS server with virtual hosts;
  • [ADD] certificates CRL updates (periodical signature, …) must be managed manually using tools like easy-rsa. Only CRL accessible by a URL are supported;

WAPT- (2017-11-16)

  • [NEW] some fallbacks to allow the use of the WAPT console with WineHQ on Linux based desktops;
  • [NEW] blueprint of the WAPT plugins architecture in the WAPT console;
  • [NEW] passwords entered in Pyscripter are no longer displayed in clear;
  • [NEW] make-template action in the WAPT installer generates an empty package;
  • [NEW] when signing a package, the certificate chain of the signer is added to the package (WAPT/certificate.crt) instead of only the signer’s certificate;
  • [IMP] management of certificates signed by Intermediary Authorities for actions in the WAPT console;
  • [ADD] added option for specifying the configuration file for the WAPT console;
  • [FIX] SNI pour la récupération de la chaine de certificats dans waptconsole.
  • [ADD] added actions to launch mass updates / upgrades, offer updates to the users (WAPT Enterprise);
  • [NEW] F5 refreshes the list of packages;
  • [NEW] the description of the device may now be changed on the fly;
  • [ADD] possibility to configure several WAPT Server instances on a single server / VM;
  • [IMP] chunked HTTPS upload to allow the uploading of large packages without having to use WinSCP or equivalent;
  • [ADD] added forced installation of a package on a host from the WAPT console;
  • [ADD] option for hiding advanced options in the WAPT console to make the WAPT console simpler to use for some users;
  • [NEW] the Common Name of the host certificate / key is named the same as the machine UUID;
  • [FIX] if one or more dependencies of a package can not be installed, the parent package is flagged ERROR;
  • [FIX] small memory leak in waptserver;
  • [FIX] timezone validation for verifying certificates;
  • [SEC] verifies the hashes of all files, not just the files in the root folder (this regression appeared in 1.5 and is not present in 1.3);

WAPT- (2017-11-16)

Global architecture

  • [NEW] the host packages are now named with the BIOS UUID of the machine instead of the FQDN (it is possible to use the FQDN as the UUID with the parameter use_fqdn_as_uuid but it may create duplicates in the console);
  • [NEW] the waptservice listens only on the loopback port 8088 and no longer on all network interfaces. This reduces the potential attack surface if an attacker spoofs the IP address of the WAPT Server;
  • [NEW] on startup, the waptservice initiates a Websocket connection (Socket.IO) with the WAPT Server to allow the WAPT agent and the WAPT console to trigger update / upgrade / install / remove actions. The 8088 port is no longer used to remotely launch actions;
  • [NEW] the Websocket requests from the WAPT console to the WAPT agents are now signed with the key of the Administrator. Before, security relied on source IP restriction and the validation of the Administrator’s login / password;
  • [NEW] the MongoDB inventory database is now replaced with PostgreSQL. This makes querying the data easier for personalized reporting, the SQL language being better known by system administrators;
  • [NEW] the display in the console of a large number of hosts has been greatly improved. Listing several thousands of machines is no longer a problem;
  • [NEW] making changes to the configuration of a large number of machines has been greatly improved;
  • [NEW] the resuming of a failed or partial download of a WAPT package is now made possible;
  • [NEW] the private keys must now be protected with a password;

The WAPT Console

  • [NEW] connections between the WAPT console and the WAPT Server now use Websockets;
  • [NEW] correct display of the WAPT console on high resolution screens (ex: 4K screens);
  • [NEW] modernized set of icons in the WAPT console;
  • [NEW] the description of the device may now be changed on the fly in the WAPT console;
  • [NEW] an option to change the password on a key has been introduced;

Format of WAPT packages

  • [NEW] the presence of the file is optional and is no longer required for group and host packages that only contain dependencies and conflicts;
  • [NEW] if the package contains a file, it MUST be signed with a Code Signing certificate, otherwise the package WILL NOT be installed. The roles are now differenciated between the role of the Package Deployer (allowed to sign group and host packages) and the role of Package Developer (allowed to sign group, host AND base packages);
  • [NEW] when signing a package, the certificate of the signer is added to the package (certificate.crt);
  • [NEW] the manifest file is renamed manifest.sha256 instead of manifest.sha1 and the signature file is renamed signature.sha256;
  • [NEW] the following attributes have been added to the control file:
    • signed_attributes: list of attributes that are signed to verify the authenticity of the package;
    • min_wapt_version : the package is ignored (and will not be installed) if WAPT is not running at this minimal version
    • installed_size: the WAPT package will not install if the minimum available disk space is not greater than installed_size;
    • max_os_version: the WAPT package is ignored if Windows is in a version greater that max_os_version;
    • min_os_version: the WAPT package is ignored if Windows is in a version that is not greater than min_os_version;
    • maturity:
    • locale:

General configuration of the WAPT agents

  • [NEW] explicit section [wapt-host] for the host package repository, otherwise the URL is obtained from <repo_url>+’-host’;
  • [NEW] explicit section [wapt] for the main repository, otherwise <repo_url> is taken as default;
  • [NEW] the verification of certificates is activated for all HTTPS connections;
  • [NEW] signatures are sha256 based instead of sha1;
  • [NEW] packages signed with certificates delivered by an Authority of Certification are taken into account, diffusion of that Authority’s unique certificate to the WAPT agents;
  • [NEW] the BIOS UUID of the machine is used for naming the host packages instead of the FQDN;
  • [NEW] possibility to still use the FQDN as UUID instead of the BIOS UUID (parameters: use_fqdn_as_uuid or forced_uuid);
  • [NEW] when a package is signed, the signer is identified with her certificate instead of her private key. WAPT validates the private key against certificates stored in the signer’s personnal folder. This is an incentive to have one certificate per individual operating in the WAPT realm of the Organization;
  • [NEW] possibility to take into account revoked certificates (the CRL is delivered to the WAPT equiped machines during updates, from the Packages file);
  • [NEW] possibility to re-sign packages on Linux based WAPT Servers with the utility;
  • [NEW] the WAPT resources are now located in C:\Program Files(x86)\wapt by default;


  • [NEW] ‘running_as_admin’, ‘running_as_system’;
  • [FIX] bug fix on add_shutdown_script;
  • [IMP] check version and uninstall key after install using install_msi_if_needed and install_exe_if_needed;


  • [NEW] added function update-package-sources that launches the optional update_package() function of the WAPT package;
  • [FIX] replacement of the option --private-key by the option --certificate to define the certificate to use to sign the package. The private key is searched by default in the same folder as where the certificate is stored;
  • [FIX] replacement of the wapt.psproj upon editing a package, so to update the path to WAPT modules after moving to WAPT’s new default installation C:\Program Files(x86)\wapt folder;
  • [IMP] the HTTPS server certificate is verified during enable-check-certificate to avoid configuration mistakes;


  • added options
Usage: wapt-signpackages -c crtfile package1 package2

Re-sign a list of packages

  -h, --help            show this help message and exit
  -c PUBLIC_KEY, --certificate=PUBLIC_KEY
                        Path to the PEM RSA certificate to embed identitiy in
                        control. (default: )
  -k PRIVATE_KEY, --private-key=PRIVATE_KEY
                        Path to the PEM RSA private key to sign packages.
                        (default: )
  -l LOGLEVEL, --loglevel=LOGLEVEL
                        Loglevel (default: warning)
  -i, --if-needed       Re-sign package only if needed (default: warning)
  -m MD, --message-digest=MD
                        Message digest type for signatures.  (default: sha256)
  -s, --scan-packages   Rescan packages and update local Packages index after
                        signing.  (default: False)

The WAPT Console

  • [NEW] all actions sent to the hosts are signed with the Administrator’s key;
  • [NEW] generation of a key / certificate pair signed by an Authority of Certification (WAPT Enterprise);
  • [NEW] option to create a Code Signing or a simple SSL certificate (WAPT Enterprise);
  • [NEW] an option to change the password on a key has been introduced;
  • [NEW] option to verify the certificates during the creation of the WAPT agent;
  • [NEW] TISHelp launch icon (WAPT Enterprise);
  • [NEW] limit on the number of hosts returned in the WAPT console;
  • [NEW] added reachable to filter the machines that are currently connected by Websocket to the WAPT Server;
  • [NEW] possibility to change the description of the host on the fly in the WAPT console;


  • [NEW] Active Directory authentication (WAPT Enterprise);
  • [NEW] use of Websockets for relaying of actions;


  • [NEW] the WAPT webservice only listens on its loopback ( Therefore, the verification of the open port 8088 on the local firewall has been removed.
  • [NEW] the waptservice connects to the WAPT Server using Websockets if the parameter waptserver is present in :file`wapt-get.ini`;
  • [NEW] the parameter websockets_verify_cert activates the verification of the SSL certificate for the HTTPS connection of the Websocket;
  • [NEW] the certificates / Authorities of Certifications are displayed in the :file`control` file of the WAPT packages;
  • [NEW] the name of the signer of the package is recovered from the signer’s certificate and is displayed in the control file of the WAPT package;
  • [NEW] allow_user_service_restart parameter allows a standard user to restart the WAPT service on her computer;
  • [NEW] TISHelp launch in service mode by URL/tishelp;

waptagent installer

  • [NEW] the dependency on the msvcrt library has been removed;
  • [IMP] limited the number of options to two options: install the waptservice and start the wapptray;
  • [NEW] silent install options:
    • dnsdomain for automatically searching the WAPT repositories and the WAPT Server;
    • wapt_server
    • repo_url
  • [IMP] waptupgrade systematically launches a complete installation (no incremental installation);

Improvements ->

  • [NEW] is not required for uninstall;
  • [IMP] unicode path for editing packages;
  • [FIX] fixed the DNS based search for repositories;
  • [FIX] corrected \0000 for PostgreSQL;
  • [NEW] option for having a double sha1 and sha256 signature;
  • [NEW] verification of the HTTPS certificate to upload the WAPT agent;
  • [NEW] option --if-needed in wapt-signpackages;
  • [FIX] fixed the proxy when importing packages;
  • [NEW] management of CRL;
  • [FIX] fixed the required attributes when signing a WAPT package;
  • [NEW] max_clients parameter;
  • [FIX] fixed option “no server” (waptstarter);
  • [ADD] added the TISHelp launch icon;
  • [NEW] force update on installing a new waptagent;

WAPT-1.4.0 (2017-05-05)

  • no official release;
  • replacement of the MongoDB database with PostgreSQL for storing the inventory;

WAPT-1.3.13 (2017-07-25)

Security fixes

  • [FIX] regression: the verification of the content of the Packages file was skipped if signature of manifest and Packages index file checksum was ok. This regression affects all 1.3.12 releases, but not WAPT <= 1.3.9 and >= upcoming 1.5. In order to exploit this bug, one would need to tamper the Packages files either through a MITM (if you don’t verify HTTPS certificate) or a root access on the WAPT Server.

Other changes

  • [NEW] with WAPT 1.5, packages are signed with sha256 hashes. An option allows to sign packages both in sha1 and sha256 so that they can be used with WAPT 1.3 without signing them again;
  • [FIX] the certificate for packages on has expired. All packages on have been signed again with a renewed key / certificate with both sha1 and sha256 hashes, and WAPT 1.5 signature style (control data is signed as well as files);
  • [FIX] fix for local GPO add_shutdown_script() function (thanks to jf-guillou !);
  • [FIX] fixed waptsetup postinstall actions (update / register) when running waptsetup installer without elevated priviledges: added runascurrentuser flag;
  • [FIX] removed unneeded python libraries to make install package slimmer;

WAPT (2017-06-26)

The WAPT Console

  • [NEW] wizard to automatically create packages from MSI or EXE;
  • [NEW] option in the Tool menu or drag and drop in the tab Private Repository;
  • [NEW] discovery of silent options;
  • [NEW] install_exe_if_needed and install_msi_id_needed instead of a simple run() for EXE and MSI installers (several templates of in c:\wapt\templates);
  • [NEW] significant improvement of the speed of modification of host packages;
  • [NEW] optional verification of the signature of packages imported from an external repository. The list of authorized certificates are found by default in %APPDATA%\waptconsole\ssl and may be defined in the waptconsole.ini file. The parameter is named authorized_certs_dir. Otherwise authorized certificates are found in c:\wapt\ssl;
  • [NEW] optional verification in the WAPT console of the HTTPS certificate for external repositories;
  • [NEW] verification of the base, host and group package signature before modifying them in the WAPT console or in PyScripter;
  • [NEW] when importing a package from an external repository, possibility to edit the package for inspection instead of loading it directly in the production repository;
  • [IMP] the URLs to the official documentation have been changed to;
  • [NEW] actualization of the certificate without having to regenerate the RSA key pair (in particular to define a correct Common Name that will appear to identify the signer of the packages);
  • [NEW] HTTPS is set by default for the repository URLs;

Other bug fixes and feature improvements

  • [FIX] parameter AppNoConsole:1 for NSSM (waptservice / waptserver) to allow WAPT to work on Windows10 Creators Updates;
  • [FIX] problem of ZIP files that stay locked if an error is triggered;
  • [FIX] removing of the temporary folder when the edition of a group package is cancelled;
  • [FIX] management of space characters when naming PyScripter project files;
  • [FIX] UTF8 / unicode management for some functions in WAPT;
  • [FIX] management of encodings when run_not_fatal() returns an error;
  • [FIX] replacement of mongo.bson libraries by native python json;
  • [FIX] fixed bug when synchronizing Active Directory groups with WAPT packages;
  • [FIX] fixed bug “The private key does not exist” on first use of the private key if the WAPT console has not been restarted;
  • [FIX] fixed bug “WAPT service restart” (thanks to QGull);
  • [FIX] fixed possibility to name WAPT packages with upper case characters (it is however not advisable to mix lower and upper case when naming a package because package names are case sensitive in WAPT);
  • [IMP] some configuration examples have been actualized in wapt-get.ini.tmpl;
  • [FIX] fixed the waptagent failing to compile if keys / certificates already exist but the certificate had been removed from c:\wapt\ssl;
  • [FIX] fixed display in the Windows task bar of the login window (to allow in particular the autofill of the password by password managers);

WAPT (2017-04-11)

  • [FIX] argument “shell=True” wasn’t explicitly passed to the underlying function as it occurred on previous versions.

WAPT 1.3.9 (2017-03-03)


  • [FIX] updated code to follow more PEP8 recommandations;
  • [FIX] fixed issue with upgradedb locking local SQLite database;
  • [FIX] fixed broken DNS SRV record discovery;
  • [FIX] fixed unicode handling of signer / CN / organisation in certificates;
  • [FIX] fixed unzipped netifaces module;


  • [NEW] expands wildcards args for install, show, build-package, sign-package;
  • [FIX] fixed show-params command;
  • [FIX] fixed register with description not working on some computers;
  • [FIX] fixed broken -c --config option;

Added setuphelpers functions

  • [NEW] reg_key_exists ;
  • [NEW] reg_value_exists ;
  • [NEW] run_powershell ;
  • [NEW] remove_metroapp ;
  • [NEW] local_users_profiles ;
  • [NEW] get_profiles_users ;
  • [NEW] get_last_logged_on_user ;
  • [NEW] get_user_from_sid ;
  • [NEW] get_profile_path ;
  • [NEW] wua_agent_version ;
  • [NEW] local_admins ;
  • [NEW] local_group_memberships ;
  • [NEW] local_group_members ;

Modified helpers

  • [IMP] explicit default values for run() command help in PyScripter. Added return_stderr argument (overloaded str object);
  • [FIX] run_notfatal: fix unicode issue in use wmi module for wmi_info_basic instead of wmic shell command;
  • [IMP] make_path: improved when first argument is a drive. Be smart if an argument is a callable;
  • [FIX] restored CalledProcessError alias;
  • [IMP] host_infos: added profiles_users, last_logged_on_user, local_administrators, wua_agent_version attributes;
  • [IMP] ensure_unicode: return None if None, for bytes strings try utf8 decoding before system locale decoding;

The WAPT Console

  • [FIX] restore allowed lowercase/uppercase package naming;

  • [ADD] 4 host popup menu actions:

    • Computer Mgmt;
    • Computer Users;
    • Computer Services;
    • RemoteAssist;
  • [FIX] fixed other issues in the WAPT console:

    • Don’t search host while typing;
    • utf8 search (accents…);
    • utf8 compare;
    • try to get localized versions of special folders;


  • [ADD] added waptpythonw.exe binary in distribution for console less python scripts (to avoid having cmd.exe windows poping up when invoking a python script);
  • [FIX] change default wapt templates URL to;
  • [FIX] when upgrading, (full WAPT agent re-install), remove stalled WAPT agent installs;

WAPT (2016-11-18)


  • [SEC] Fix inheritance of rights on wapt root folder for Windows 10 during setup when installed in c:\wapt. On Windows 10, cacls.exe does not work and does not remove “Authenticated Users” from c:\wapt. cacls.exe has been replaced by icacls.exe:

    • on pre-wapt 1.3.7 systems, you can fix this by running the following command, or upgrade to wapt 1.3.8 (you may check icacls.exe c:wapt /inheritance:r)
    • This can be achieved with a GPO, or a WAPT package.
  • [IMP] in next versions of WAPT, the default install path of wapt will be changed from root folder c:\wapt to a more standard c:\Program Files (x86)\wapt.

  • [IMP] By default, waptsetup.exe / waptsetup-tis.exe do not distribute certificates to avoid to deploy directly packages from Tranquil IT. waptagent.exe by default distributes the certificates that are installed on the mangement desktop creating the waptagent.

Core changes

  • [IMP] The database structure has changed between 1.3.8 and to include additional attributes from packages : signer, signer_fingerprint, locale, and maturity. signer and signer_fingerprint are populated when signing the package to identify the origin. This means local WAPT database is upgraded when first starting WAPT and this is not backward compatible;
  • [IMP] Installers have a limited set of options, the most common use of WAPT is priviledged;
  • [ADD] 3 new parameters for the waptexit policy behaviour : hiberboot_enabled, max_gpo_script_wait, pre_shutdown_timeout. These parameters are not set by default and should be added to wapt-get.ini [global] section if needed;
  • [IMP] Use user’s waptconsole.ini configuration file instead of wapt-get.ini for the commands targeted to package development (sources, make-template, make-host-template, make-group-template, build-package, sign-package, build-upload, duplicate, edit, edit-host, upload-package, update-packages. This avoids the need to write these parameters in wapt-get.ini on the development workstation. These parameters are not shared across multiple users on same machine. One use case is to allow multiple profiles (key, upload location) depending on the maturity of package (development, test, production…);


  • [ADD] helper functions dir_is_empty, file_is_locked, service_restart and WindowsVersions class
  • [IMP] Added referer and user_agent in wget and wgets
  • [IMP] run function : define stdin as PIPE to avoid lockup process waiting for input or error like unable to duplicate handle when using for example powershell
  • [IMP] Version class : try to compare version using at least Version.members_count
  • [FIX] fixed encoding for registry functions, fixed encoding for registry_setstring key name;
  • [FIX] install_exe_if_needed : don’t check uninstall_key or min_version if not provided`;
  • [FIX] install_exe_if_needed and install_msi_if_needed version check if --force parameter is used;
  • [UPD] Check version and uninstall key after install with install_exe_if_needed and install_msi_if_needed;
  • [UPD] updated inventory to include informations from WMI.Win32_OperatingSystem;
  • [ADD] get_disk_free_space helper function;
  • [UPD] updated the free disk space check when downloading with wget. check http status before;
  • [UPD] updated version class: Version(‘7’)<Version(‘7.1’) should return True;


  • [ADD] added 2 commands to get server SSL certificate and activate the certificate checking when using https with waptserver;
  • [FIX] get_sources to allow svn checkout of a new package project;
  • [FIX] register problems with some BIOS embedding bitmaps;
  • [UPD] updated uninstall key check after package install if uninstallkey is provided;
  • [ADD] added Windows version compatibility check in manifest file for wapt-get and in the WAPT console;
  • [FIX] erroneous error messages for session-setup in the WAPT console;
  • [UPD] added pattern parameter to all_files function;
  • [FIX] Install Date incorrectly registered by register_uninstall;
  • [ADD] added user_local_appdata function;
  • [ADD] added the signer CN and signer_fingerprint to control file when building a package;
  • [ADD] added attributes min_wapt_version in the control file to trigger an exception if the package requires a minimum level of libraries. The version is checked against’s __version__ attribute;
  • [ADD] added authorized_certificates attribute that is sent to the WAPT Server. It contains the list of host’s signer certificates distributed on the host;
  • [FIX] when signing, the check if wapt zip file has already a signature file. (python zipfile can not replace the file inline);


  • [ADD] added Show all versions checkbox in Available Packages page;
  • [UPD] updated skin of the web page;
  • [ADD] added Filter searchbox for available packages;


  • [ADD] Add NOT checkbox for keywords search in waptconsole to search for hosts NOT having a specific package or software;
  • [FIX] integer limit for grid display of package size, use int64 for size of packages in the WAPT console;
  • [UPD] do not list packages of section “restricted” in local webservice available packages list;
  • [UPD] CommonName attribute should be populated now, so that signer identity is not None in package control file;
  • [ADD] added signer’s identity column in packages grid;
  • [FIX] fixed escape quotes in package’s description;
  • [ADD] check on waptagent version against waptsetup-tis version at startup of the WAPT console;
  • [UPD] try to display a progress dialog at startup of the WAPT console;
  • [FIX] Organization not set when building customized waptagent;
  • [ADD] initialize Organization in waptagent build with CN from certificate;


  • [UPD] some text introduction changes


  • [NEW] limit trayicon balloon popup when Windows version is above Windows 7 or if notify_user = 0 in wapt-get.ini;


  • [UPD] use broadcast address on interface for wakeonlan call;
  • [FIX] removed the check of WAPT Server password which prevented the proper registration of waptserver on Windows;
  • [UPD] when upgrading, reuse existing waptserver.ini file if it already exists, do not overwrite server_uuid and ask for password reset if it already exists;

waptdeploy waptupgrade

  • [FIX] waptdeploy not working on WinXP, removed DisableWow64FileSystemRedir on runtask;
  • [FIX] waptupgrade: missing quotes for system account on Windows XP;


  • [ADD] BeautifulSoup for wapt packages auto update tasks;
  • [UPD] winsys library update to ‘1.0b1’;

WAPT (2015-05-05)

  • [ADD] UUID parameter for direct requests to hosts from the WAPT Server;
  • [ADD] allow host to refuse request if not right target (if ip has changed since last update_status for example);
  • [ADD] fallback on waptserver usage_statictics if mongodb lacks aggregate support;
  • [IMP] register host on server in postconf using waptservice http instead of command line wapt-get;

WAPT 1.2.2 (2015-04-22)

WAPT 1.2.1 (2015-03-26)

The WAPT Console

  • [ADD] added combobox for filtering on groups in the WAPT console;
  • [ADD] Add ADS Groups as packages action to WAPT host selection popup menu;
  • [ADD] cleancache action to clean local waptconsole packages cache;
  • [ADD] added notify_server on network reconfiguration if waptserver is available;
  • [IMP] column groups shows only host’s direct dependencies with package’s section == “group” instead of all direct dependencies;
  • [ADD] optional anonymous statistics (nb of machines, nb of packages, age of updates…) sent to Tranquil IT to document the communication around WAPT (sent by waptconsole at most every 24h);
  • [IMP] improved mass hosts delete;
  • [IMP] improved mass hosts delete,;
  • [IMP] big packages uploads (write uploaded packages by chunk) (but still some issues on 32bits servers due to uwsgi);
  • [IMP] display version of mismatch when editing package;
  • [FIX] host’s packages not saved when some dependencies don’t exist anymore;
  • [FIX] restore working Cancel running task button;
  • [FIX] canceling subprocesses not working in freepascal apps (when waiting for InnoSetup compile for example);

wapt-get / waptservice

  • [ADD] reset-uuid and generate-uuid for duplicated UUID issues;
  • [IMP] find_wapt_repo_url processus to avoid waiting for all repos if one repo is ok (improved response time in buggy networks);
  • [IMP] windows DNS resolver in wapt client (python part) instead of pure python resolver. Should reduce issues when multiple network cards or inactive network connections;
  • [IMP] changed priority of server discovery using SRV dns records. -> first priority ascending and weight descending. -> comply with standards;
  • [FIX] solved some issues with SQLite and threads in local waptservice;
  • [IMP] explicit transaction handling and isolation_level = None for local waptDB (to try to avoid locks);
  • [IMP] teardown handler for waptservice to commit or rollback thread local connections;
  • [FIX] for waptrepo detection in freepascal parts : same processus as python part;
  • [FIX] for waptrepo detection in freepascal parts : same processus as python part;


  • [ADD] read the docs theme for sphinx setuphelpers API documentation. WIP;
  • [ADD] _all_ list to avoid importing unecessary names in modules. Now only functions defined in setuphelpers are available when importing setuphelpers. This can break some WAPT packages if names were indirectly imported through setuphelpers module;
  • [ADD] need_install, install_exe_if_needed, install_msi_if_needed functions to setuphelpers;
  • [ADD] local_desktops function;
  • [FIX] version class instances accept to be compared to str;
  • [FIX] version class instances accept to be compared to str;
  • [ADD] add_ads_groups and get_computer_groups to;
  • [FIX] run helper;
  • [FIX] on_write callback not working;
  • [FIX] TimeoutExpired not formatted properly;
  • [FIX] use closure for registry keys;


  • [IMP] waptdeploy with more command line options (in particular tasks to merge to default innosetup selected tasks);
  • [FIX] waptrepo detection using dns records;


  • [FIX] waptagent upload error on Windows;
  • [FIX] debian packages should work for Jessie;
  • [IMP] copytree2 for waptupgrade;
  • [FIX] trap exception for version check on copy of exe and dll;
  • [FIX] mongodb-server version should be >= 2.4;

WAPT-1.1.1 (2015-02-26)

The WAPT Console

  • [IMP] the loading of the main grid has been optimized; only configured coumns are displayed;
  • [IMP] the WAPT server detects the hosts whose waptservice is listening. Their Reachable status is shown with a green / grey indicator;
  • [IMP] the WAPT server detects the hosts whose waptservice is listening. Their Reachable status is shown with a green / grey indicator;
  • [ADD] the package dependencies of each host are displayed in the grid. This allows to see what hosts have no package;
  • [ADD] possibility to trigger available package upgrades on hosts that are listening from the WAPT console. In that case, the host sends its status to the WAPT server after the upgrade;
  • [ADD] possibility to filter hosts in the WAPT console according to their upgrade status or whether they are “reachable” or not,
  • [ADD] when packages are flagged for install but are not yet installed on a host, they appear with a blue “+” indicator. It is then possible to force the immediate install of the package with a right-click;


  • [ADD] cleaning of the cache on the hosts after each successful upgrade;


  • [ADD] the versions of the WAPT agent, WAPT Server are shown in the main web page of the WAPT Server (with a red indicator if there is a problem);

Package creation

  • [ADD] functions to setuphelpers to manage shortcuts:
    • remove_desktop_shortcut;
    • remove_user_desktop_shortcut;
    • remove_programs_menu_shortcut;
    • remove_user_programs_menu_shortcut;


  • [IMP] verification of used ports during the post-configuration of WAPT Server on a Windows machine;


  • [IMP] the waptserver no longer listen on 8080 port by default.

    The Apache frontal web server listens in HTTP and HTTPS and relays action calls to the python waptservice that only listens locally.

    It is therefore necessary to update wapt-get.ini files on WAPT agents and to replace wapt_server = http://monserveurwapt:8080 with wapt_server = https://monserveurwapt.

    If you can not make that change to your WAPT agents, it is possible to return to the previous behavior.

    On Debian, edit the file /opt/wapt/waptserver/waptserver.ini, and in the [uwsgi] section, put:

    http-socket =

    On Windows, edit C:\wapt\waptserver\waptserver.ini and replace:

    server = Rocket(('', port), 'wsgi', {"wsgi_app":app})


    server = Rocket(('', port), 'wsgi', {"wsgi_app":app})

    The repository may stay in HTTP on port 80.

    The calls to the WAPT Server are authenticated, but it is advized to restrict access to authorized sub-networks with a firewall.

  • [IMP] json calls to the webservice of the WAPT Server are now standardized;

  • [IMP] when launching command:update / command:upgrade / command:remove / command:forget / command:tasks_status actions from the WAPT console, the IP address of the host is no longer sent, but instead its UUID, and it is the WAPT Server that finds the IP address and the port to use; et c’est le serveur wapt qui s’occupe de déterminer quelle IP / port utiliser;

  • [ADD] verification in the WAPT console that the version of the WAPT Server is sufficient;

  • [ADD] the timeout to connect to WAPT agents and read the data are configurable in waptserver.ini;

WAPT-1.0 (2015-01-31)

  • [ADD] first public version of WAPT