Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-20204

Latest release of Java 7 blocks the connection to slaves due to no permissions attribute in the JAR file

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • core
    • All platforms where you can use at least Java web start to get a slave node connected, and Java 7 update 45 installed.

      Since I have installed Java 7 update 45 on our test slaves I get the following security warning:

      Running applications by UNKNOWN publishers will be blocked in a future release because it is potentially unsafe and a security risk.

      This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute. Please contact the Publisher for more information.

      It looks like that the .jar file(s) do not contain a permissions attribute, which would let slaves connect to the master in the future. In our case we connect slaves via Java web start.

      As of now it is not a hard-blocker and you can click through and accept. But I think that this should be fixed soon.

          [JENKINS-20204] Latest release of Java 7 blocks the connection to slaves due to no permissions attribute in the JAR file

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          pom.xml
          http://jenkins-ci.org/commit/remoting/07570271165133ef0b3a5b41134e4bcc59a6b410
          Log:
          [FIXED JENKINS-20204] Keep up with the new security requirements with Java7u51.

          Reference: http://docs.oracle.com/javase/8/docs/technotes/guides/jweb/security/manifest.html
          Reference: http://docs.oracle.com/javase/8/docs/technotes/guides/jweb/security/mixed_code.html

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: pom.xml http://jenkins-ci.org/commit/remoting/07570271165133ef0b3a5b41134e4bcc59a6b410 Log: [FIXED JENKINS-20204] Keep up with the new security requirements with Java7u51. Reference: http://docs.oracle.com/javase/8/docs/technotes/guides/jweb/security/manifest.html Reference: http://docs.oracle.com/javase/8/docs/technotes/guides/jweb/security/mixed_code.html

          There were two issues here. One is the lack of the Permission attribute in the manifest, and the other is apparent change in the root CA certificate list in Java7, breaking the certificate chain to CA.

          Both are fixed in remoting 2.35.

          Kohsuke Kawaguchi added a comment - There were two issues here. One is the lack of the Permission attribute in the manifest, and the other is apparent change in the root CA certificate list in Java7, breaking the certificate chain to CA. Both are fixed in remoting 2.35.

          Henrik Skupin added a comment -

          Wonderful news Kohsuke! Will this be backported to the latest 1.532.x LTS version?

          Henrik Skupin added a comment - Wonderful news Kohsuke! Will this be backported to the latest 1.532.x LTS version?

          And in the future 1.557? I'm hitting this with the latest 1.556

          Christophe Cornu added a comment - And in the future 1.557? I'm hitting this with the latest 1.556

          A workaround is to use
          java -jar slave.jar -jnlpUrl http://yourserver:port/computer/slave-name/slave-agent.jnlp

          as indicated in https://wiki.jenkins-ci.org/display/JENKINS/Distributed+builds Launch slave agent headlessly

          Christophe Cornu added a comment - A workaround is to use java -jar slave.jar -jnlpUrl http://yourserver:port/computer/slave-name/slave-agent.jnlp as indicated in https://wiki.jenkins-ci.org/display/JENKINS/Distributed+builds Launch slave agent headlessly

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          changelog.html
          pom.xml
          http://jenkins-ci.org/commit/jenkins/11458c956e64673d99a9dc2c05cfd5f9533b4e1b
          Log:
          [JENKINS-20769 JENKINS-20204] integrated remoting 2.35 in the core.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html pom.xml http://jenkins-ci.org/commit/jenkins/11458c956e64673d99a9dc2c05cfd5f9533b4e1b Log: [JENKINS-20769 JENKINS-20204] integrated remoting 2.35 in the core.

          dogfood added a comment -

          Integrated in jenkins_main_trunk #3267
          [JENKINS-20769 JENKINS-20204] integrated remoting 2.35 in the core. (Revision 11458c956e64673d99a9dc2c05cfd5f9533b4e1b)

          Result = SUCCESS
          kohsuke : 11458c956e64673d99a9dc2c05cfd5f9533b4e1b
          Files :

          • pom.xml
          • changelog.html

          dogfood added a comment - Integrated in jenkins_main_trunk #3267 [JENKINS-20769 JENKINS-20204] integrated remoting 2.35 in the core. (Revision 11458c956e64673d99a9dc2c05cfd5f9533b4e1b) Result = SUCCESS kohsuke : 11458c956e64673d99a9dc2c05cfd5f9533b4e1b Files : pom.xml changelog.html

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          pom.xml
          http://jenkins-ci.org/commit/jenkins/a89aa713b2ba5c325cd296d5733a565aa5cc63ec
          Log:
          [JENKINS-20769 JENKINS-20204] Integrating remoting 2.36

          Fixed a bug Jesse found in remoting

          (cherry picked from commit 75447b57b655e38fdb48f1e854a4b287071342cf)

          Conflicts:
          pom.xml

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: pom.xml http://jenkins-ci.org/commit/jenkins/a89aa713b2ba5c325cd296d5733a565aa5cc63ec Log: [JENKINS-20769 JENKINS-20204] Integrating remoting 2.36 Fixed a bug Jesse found in remoting (cherry picked from commit 75447b57b655e38fdb48f1e854a4b287071342cf) Conflicts: pom.xml

          Oleg Nenashev added a comment -

          @Kohsuke
          I still see the issue on remoting-2.36...

          java version "1.7.0_51"
          Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
          Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)

          Manifest of the slave.jar

          Manifest-Version: 1.0
          Trusted-Library: true
          Application-Name: Jenkins Remoting Agent
          Build-Jdk: 1.7.0_07
          Built-By: kohsuke
          Permissions: all-permissions
          Created-By: Apache Maven
          Main-Class: hudson.remoting.Launcher
          Version: 2.36
          Codebase: *
          Archiver-Version: Plexus Archiver

          Name: org/kohsuke/args4j/MapSetter.class
          SHA-256-Digest: tyuIM4M9anur1hStvbgsYrs+g4WqVjGY0zgPEr1z4jw=

          Name: org/jenkinsci/constant_pool_scanner/ConstantPool$1$1.class
          SHA-256-Digest: UKGAapa919i1hiZJuSy1xx7dVEgonnjgqNxghQjWDMo=

          Name: hudson/remoting/DelegatingCallable.class
          SHA-256-Digest: 3eiABqJQGmXrLl5omnmV7YOVh/r7DAh21TQa9zqYntE=

          ...

          Oleg Nenashev added a comment - @Kohsuke I still see the issue on remoting-2.36... java version "1.7.0_51" Java(TM) SE Runtime Environment (build 1.7.0_51-b13) Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode) Manifest of the slave.jar Manifest-Version: 1.0 Trusted-Library: true Application-Name: Jenkins Remoting Agent Build-Jdk: 1.7.0_07 Built-By: kohsuke Permissions: all-permissions Created-By: Apache Maven Main-Class: hudson.remoting.Launcher Version: 2.36 Codebase: * Archiver-Version: Plexus Archiver Name: org/kohsuke/args4j/MapSetter.class SHA-256-Digest: tyuIM4M9anur1hStvbgsYrs+g4WqVjGY0zgPEr1z4jw= Name: org/jenkinsci/constant_pool_scanner/ConstantPool$1$1.class SHA-256-Digest: UKGAapa919i1hiZJuSy1xx7dVEgonnjgqNxghQjWDMo= Name: hudson/remoting/DelegatingCallable.class SHA-256-Digest: 3eiABqJQGmXrLl5omnmV7YOVh/r7DAh21TQa9zqYntE= ...

          Oleg Nenashev added a comment -

          Hmm...
          My apologies, the previous error has been caused by improper Jenkins URL in global configs => JNLP used jar from another server

          Oleg Nenashev added a comment - Hmm... My apologies, the previous error has been caused by improper Jenkins URL in global configs => JNLP used jar from another server

            kohsuke Kohsuke Kawaguchi
            whimboo Henrik Skupin
            Votes:
            19 Vote for this issue
            Watchers:
            34 Start watching this issue

              Created:
              Updated:
              Resolved: