Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25625

SECURITY-144-compat usage breaks tests due to code signing

    XMLWordPrintable

Details

    Description

      Take a plugin which has a dependency on maven-plugin, such as copyartifact. Now update the dependency to 2.7.1 and try to run functional tests. Everything blows up:

      === Starting CopyArtifactTest.testMavenJobWithArchivePostBuildStep
... hudson.model.AbstractBuild$AbstractBuildExecution reportError
WARNING: Publisher hudson.tasks.ArtifactArchiver aborted due to exception
java.lang.SecurityException: class "org.jenkinsci.remoting.CallableDecorator"'s signer information does not match signer information of other classes in the same package
	at java.lang.ClassLoader.checkCerts(ClassLoader.java:952)
	at java.lang.ClassLoader.preDefineClass(ClassLoader.java:666)
	at java.lang.ClassLoader.defineClass(ClassLoader.java:794)
	at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
	at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
	at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
	at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
	at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
	at jenkins.FilePathFilter.current(FilePathFilter.java:108)
	at hudson.FilePath.reading(FilePath.java:2677)
	at hudson.FilePath.access$000(FilePath.java:190)
	at hudson.FilePath$40.invoke(FilePath.java:2034)
	at hudson.FilePath$40.invoke(FilePath.java:2027)
	at hudson.FilePath.act(FilePath.java:980)
	at hudson.FilePath.act(FilePath.java:958)
	at hudson.FilePath.copyRecursiveTo(FilePath.java:2027)
	at jenkins.model.StandardArtifactManager.archive(StandardArtifactManager.java:61)
	at hudson.tasks.ArtifactArchiver.perform(ArtifactArchiver.java:218)
	at hudson.tasks.BuildStepCompatibilityLayer.perform(BuildStepCompatibilityLayer.java:74)
	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:770)
	at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:734)
	at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.post2(MavenModuleSetBuild.java:1037)
	at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:683)
	at hudson.model.Run.execute(Run.java:1770)
	at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:529)
	at hudson.model.ResourceController.execute(ResourceController.java:89)
	at hudson.model.Executor.run(Executor.java:240)

      This is because remoting.jar is signed (which IMO it should not be), yet SECURITY-144-compat.jar is not.

      As a workaround it suffices to add

      <exclusions>
  <exclusion>
    <groupId>org.jenkins-ci</groupId>
    <artifactId>SECURITY-144-compat</artifactId>
  </exclusion>
</exclusions>

      to the dependency, but this is not going to be sustainable if other plugins start adding the dep too.

      Attachments

        Issue Links

          is blocking

          Improvement - An improvement or enhancement to an existing feature or task. JENKINS-24887 Workflow support of Copyartifact

          • Major - Major loss of function.
          • Closed
          links to

          Web Link core PR 2940

          Web Link maven-plugin PR 45

          Web Link SECURITY-144-compat PR 1

          Activity

            Ascending order - Click to sort in descending order
            oleg_nenashev Oleg Nenashev added a comment -

            The issue still exists in 1.609.1

            oleg_nenashev Oleg Nenashev added a comment - The issue still exists in 1.609.1
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            src/main/java/hudson/maven/MavenModuleSet.java
            src/main/java/hudson/maven/MavenModuleSetBuild.java
            http://jenkins-ci.org/commit/maven-plugin/c5223dea3ec253d24e76f1939501a1a80cfad348
            Log:
            Update baseline to 1.580.1.
            This allows us to pick up the SECURITY-144 fix from core and thus avoid JENKINS-25625.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/main/java/hudson/maven/MavenModuleSet.java src/main/java/hudson/maven/MavenModuleSetBuild.java http://jenkins-ci.org/commit/maven-plugin/c5223dea3ec253d24e76f1939501a1a80cfad348 Log: Update baseline to 1.580.1. This allows us to pick up the SECURITY-144 fix from core and thus avoid JENKINS-25625 .
            integer Kanstantsin Shautsou added a comment -

            What is the status of this issue? Updated plugin core from 1.609.3 to 1.625.3 and got the same error.

            integer Kanstantsin Shautsou added a comment - What is the status of this issue? Updated plugin core from 1.609.3 to 1.625.3 and got the same error.
            integer Kanstantsin Shautsou added a comment -

            Found (resolved), in my case because of different remoting jars on jenkins jvm and CLI connection.

            integer Kanstantsin Shautsou added a comment - Found (resolved), in my case because of different remoting jars on jenkins jvm and CLI connection.
            jglick Jesse Glick added a comment -

            Did not find any remaining usages of the compat library, just some old exclusions.

            jglick Jesse Glick added a comment - Did not find any remaining usages of the compat library, just some old exclusions.
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            test/pom.xml
            http://jenkins-ci.org/commit/jenkins/adf01d08884bcebbb802543fb71c68073bb6c7cc
            Log:
            Merge pull request #2940 from jglick/cleanup-JENKINS-25625

            JENKINS-25625 Deleting obsolete SECURITY-144-compat exclusion

            Compare: https://github.com/jenkinsci/jenkins/compare/e77048893a7c...adf01d08884b

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: test/pom.xml http://jenkins-ci.org/commit/jenkins/adf01d08884bcebbb802543fb71c68073bb6c7cc Log: Merge pull request #2940 from jglick/cleanup- JENKINS-25625 JENKINS-25625 Deleting obsolete SECURITY-144-compat exclusion Compare: https://github.com/jenkinsci/jenkins/compare/e77048893a7c...adf01d08884b
            oleg_nenashev Oleg Nenashev added a comment -

            It has been released in 2.71

            oleg_nenashev Oleg Nenashev added a comment - It has been released in 2.71
            jglick Jesse Glick added a comment -

            I see no reason for this to be an lts-candidate. It is just code cleanup.

            jglick Jesse Glick added a comment - I see no reason for this to be an lts-candidate . It is just code cleanup.

            People

              jglick Jesse Glick
              jglick Jesse Glick
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: