Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25625

SECURITY-144-compat usage breaks tests due to code signing

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core

      Take a plugin which has a dependency on maven-plugin, such as copyartifact. Now update the dependency to 2.7.1 and try to run functional tests. Everything blows up:

      === Starting CopyArtifactTest.testMavenJobWithArchivePostBuildStep
      ... hudson.model.AbstractBuild$AbstractBuildExecution reportError
      WARNING: Publisher hudson.tasks.ArtifactArchiver aborted due to exception
      java.lang.SecurityException: class "org.jenkinsci.remoting.CallableDecorator"'s signer information does not match signer information of other classes in the same package
      	at java.lang.ClassLoader.checkCerts(ClassLoader.java:952)
      	at java.lang.ClassLoader.preDefineClass(ClassLoader.java:666)
      	at java.lang.ClassLoader.defineClass(ClassLoader.java:794)
      	at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
      	at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
      	at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
      	at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
      	at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
      	at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
      	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
      	at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
      	at jenkins.FilePathFilter.current(FilePathFilter.java:108)
      	at hudson.FilePath.reading(FilePath.java:2677)
      	at hudson.FilePath.access$000(FilePath.java:190)
      	at hudson.FilePath$40.invoke(FilePath.java:2034)
      	at hudson.FilePath$40.invoke(FilePath.java:2027)
      	at hudson.FilePath.act(FilePath.java:980)
      	at hudson.FilePath.act(FilePath.java:958)
      	at hudson.FilePath.copyRecursiveTo(FilePath.java:2027)
      	at jenkins.model.StandardArtifactManager.archive(StandardArtifactManager.java:61)
      	at hudson.tasks.ArtifactArchiver.perform(ArtifactArchiver.java:218)
      	at hudson.tasks.BuildStepCompatibilityLayer.perform(BuildStepCompatibilityLayer.java:74)
      	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:770)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:734)
      	at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.post2(MavenModuleSetBuild.java:1037)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:683)
      	at hudson.model.Run.execute(Run.java:1770)
      	at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:529)
      	at hudson.model.ResourceController.execute(ResourceController.java:89)
      	at hudson.model.Executor.run(Executor.java:240)
      

      This is because remoting.jar is signed (which IMO it should not be), yet SECURITY-144-compat.jar is not.

      As a workaround it suffices to add

      <exclusions>
        <exclusion>
          <groupId>org.jenkins-ci</groupId>
          <artifactId>SECURITY-144-compat</artifactId>
        </exclusion>
      </exclusions>
      

      to the dependency, but this is not going to be sustainable if other plugins start adding the dep too.

          [JENKINS-25625] SECURITY-144-compat usage breaks tests due to code signing

          Oleg Nenashev added a comment -

          The issue still exists in 1.609.1

          Oleg Nenashev added a comment - The issue still exists in 1.609.1

          Code changed in jenkins
          User: Jesse Glick
          Path:
          pom.xml
          src/main/java/hudson/maven/MavenModuleSet.java
          src/main/java/hudson/maven/MavenModuleSetBuild.java
          http://jenkins-ci.org/commit/maven-plugin/c5223dea3ec253d24e76f1939501a1a80cfad348
          Log:
          Update baseline to 1.580.1.
          This allows us to pick up the SECURITY-144 fix from core and thus avoid JENKINS-25625.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/main/java/hudson/maven/MavenModuleSet.java src/main/java/hudson/maven/MavenModuleSetBuild.java http://jenkins-ci.org/commit/maven-plugin/c5223dea3ec253d24e76f1939501a1a80cfad348 Log: Update baseline to 1.580.1. This allows us to pick up the SECURITY-144 fix from core and thus avoid JENKINS-25625 .

          What is the status of this issue? Updated plugin core from 1.609.3 to 1.625.3 and got the same error.

          Kanstantsin Shautsou added a comment - What is the status of this issue? Updated plugin core from 1.609.3 to 1.625.3 and got the same error.

          Found (resolved), in my case because of different remoting jars on jenkins jvm and CLI connection.

          Kanstantsin Shautsou added a comment - Found (resolved), in my case because of different remoting jars on jenkins jvm and CLI connection.

          Jesse Glick added a comment -

          Did not find any remaining usages of the compat library, just some old exclusions.

          Jesse Glick added a comment - Did not find any remaining usages of the compat library, just some old exclusions.

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          test/pom.xml
          http://jenkins-ci.org/commit/jenkins/adf01d08884bcebbb802543fb71c68073bb6c7cc
          Log:
          Merge pull request #2940 from jglick/cleanup-JENKINS-25625

          JENKINS-25625 Deleting obsolete SECURITY-144-compat exclusion

          Compare: https://github.com/jenkinsci/jenkins/compare/e77048893a7c...adf01d08884b

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: test/pom.xml http://jenkins-ci.org/commit/jenkins/adf01d08884bcebbb802543fb71c68073bb6c7cc Log: Merge pull request #2940 from jglick/cleanup- JENKINS-25625 JENKINS-25625 Deleting obsolete SECURITY-144-compat exclusion Compare: https://github.com/jenkinsci/jenkins/compare/e77048893a7c...adf01d08884b

          Oleg Nenashev added a comment -

          It has been released in 2.71

          Oleg Nenashev added a comment - It has been released in 2.71

          Jesse Glick added a comment -

          I see no reason for this to be an lts-candidate. It is just code cleanup.

          Jesse Glick added a comment - I see no reason for this to be an lts-candidate . It is just code cleanup.

            jglick Jesse Glick
            jglick Jesse Glick
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: