Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-23310

Code signing certificate of winp.dll has expired

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Not A Defect
    • core

    Description

      We cannot download the jenkins.war through our HTTP proxy any more.

      Here is the error message:

      Grund der Blockierung: certificate has expired (depth = 0), revocation status unresolvable (depth = 0), revocation status unresolvable (depth = 1), revocation status unresolvable (depth = 2), revocation status unresolvable (depth = 3)
      Verletzung der Sicherheitsnorm in Datei: http://jenkins.mirror.isppower.de/war/1.566/jenkins.war/WEB-INF/lib/winp-1.19.jar/winp.dll

      Sorry for the German language parts, but I think the issue becomes clear.

      Attachments

        Activity

          oleg_nenashev Oleg Nenashev added a comment -

          Kohsuke is an owner of the WinP library project

          oleg_nenashev Oleg Nenashev added a comment - Kohsuke is an owner of the WinP library project
          danielbeck Daniel Beck added a comment -

          Reducing priority: Download of jenkins.war is hardly a production-breaking issue; and a workaround is available in downloading not through the proxy. All issues here are imposed by your own organization.

          danielbeck Daniel Beck added a comment - Reducing priority: Download of jenkins.war is hardly a production-breaking issue; and a workaround is available in downloading not through the proxy. All issues here are imposed by your own organization.
          danielbeck Daniel Beck added a comment -

          New Winp release was integrated for 1.569 (JENKINS-23410). Maybe the cert issue has been fixed.

          danielbeck Daniel Beck added a comment - New Winp release was integrated for 1.569 ( JENKINS-23410 ). Maybe the cert issue has been fixed.
          torstens Torsten Schlabach added a comment - - edited

          Yes, it has been fixed in the sense that we can indeed download 1.569 now. Though we will not be able to download 1.569 in some remote future point in time from now after the new code signing certificate will have expired again.

          BUT I learn from http://portableapps.com/node/24236 (the last remark by John T. Haller dated July 14, 2010 at 10:41am in that thread that the fault isn't with the Jenkins / Winp developers at all but with the people who implemented / configured the certificate checks on our content inspection HTTP proxy server.

          After reading, it sounds quite logical to me that a code signing certificate needs to be valid at the point in time the code is signed, not at the code in time I want to download or execute the code. Unless the certificate had been revoked in the meanwhile, but that doesn't seem to be the case here.

          So in other words, you didn't actually fix it neither by chance nor by purpose but it's just luck that when I tried to download 1.569 yesterday that I was still within the time window of validity of your code signing certificate, despite that time window shouldn't matter at all for my download.

          HTH

          torstens Torsten Schlabach added a comment - - edited Yes, it has been fixed in the sense that we can indeed download 1.569 now. Though we will not be able to download 1.569 in some remote future point in time from now after the new code signing certificate will have expired again. BUT I learn from http://portableapps.com/node/24236 (the last remark by John T. Haller dated July 14, 2010 at 10:41am in that thread that the fault isn't with the Jenkins / Winp developers at all but with the people who implemented / configured the certificate checks on our content inspection HTTP proxy server. After reading, it sounds quite logical to me that a code signing certificate needs to be valid at the point in time the code is signed, not at the code in time I want to download or execute the code. Unless the certificate had been revoked in the meanwhile, but that doesn't seem to be the case here. So in other words, you didn't actually fix it neither by chance nor by purpose but it's just luck that when I tried to download 1.569 yesterday that I was still within the time window of validity of your code signing certificate, despite that time window shouldn't matter at all for my download. HTH

          People

            kohsuke Kohsuke Kawaguchi
            torstens Torsten Schlabach
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: