Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25625

SECURITY-144-compat usage breaks tests due to code signing




      Take a plugin which has a dependency on maven-plugin, such as copyartifact. Now update the dependency to 2.7.1 and try to run functional tests. Everything blows up:

      === Starting CopyArtifactTest.testMavenJobWithArchivePostBuildStep
      ... hudson.model.AbstractBuild$AbstractBuildExecution reportError
      WARNING: Publisher hudson.tasks.ArtifactArchiver aborted due to exception
      java.lang.SecurityException: class "org.jenkinsci.remoting.CallableDecorator"'s signer information does not match signer information of other classes in the same package
      	at java.lang.ClassLoader.checkCerts(ClassLoader.java:952)
      	at java.lang.ClassLoader.preDefineClass(ClassLoader.java:666)
      	at java.lang.ClassLoader.defineClass(ClassLoader.java:794)
      	at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
      	at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
      	at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
      	at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
      	at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
      	at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
      	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
      	at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
      	at jenkins.FilePathFilter.current(FilePathFilter.java:108)
      	at hudson.FilePath.reading(FilePath.java:2677)
      	at hudson.FilePath.access$000(FilePath.java:190)
      	at hudson.FilePath$40.invoke(FilePath.java:2034)
      	at hudson.FilePath$40.invoke(FilePath.java:2027)
      	at hudson.FilePath.act(FilePath.java:980)
      	at hudson.FilePath.act(FilePath.java:958)
      	at hudson.FilePath.copyRecursiveTo(FilePath.java:2027)
      	at jenkins.model.StandardArtifactManager.archive(StandardArtifactManager.java:61)
      	at hudson.tasks.ArtifactArchiver.perform(ArtifactArchiver.java:218)
      	at hudson.tasks.BuildStepCompatibilityLayer.perform(BuildStepCompatibilityLayer.java:74)
      	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:770)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:734)
      	at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.post2(MavenModuleSetBuild.java:1037)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:683)
      	at hudson.model.Run.execute(Run.java:1770)
      	at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:529)
      	at hudson.model.ResourceController.execute(ResourceController.java:89)
      	at hudson.model.Executor.run(Executor.java:240)

      This is because remoting.jar is signed (which IMO it should not be), yet SECURITY-144-compat.jar is not.

      As a workaround it suffices to add


      to the dependency, but this is not going to be sustainable if other plugins start adding the dep too.


        Issue Links


            jglick Jesse Glick created issue -
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Link This issue is blocking SECURITY-144 [ SECURITY-144 ]
            jglick Jesse Glick made changes -
            Link This issue is blocking JENKINS-24887 [ JENKINS-24887 ]
            jglick Jesse Glick made changes -
            Assignee Jesse Glick [ jglick ]
            jglick Jesse Glick made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "maven-plugin PR 45 (Web Link)" [ 12944 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "SECURITY-144-compat PR 1 (Web Link)" [ 12945 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 159599 ] JNJira + In-Review [ 185547 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "core PR 2940 (Web Link)" [ 17253 ]
            jglick Jesse Glick made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            oleg_nenashev Oleg Nenashev made changes -
            Resolution Fixed [ 1 ]
            Status In Review [ 10005 ] Resolved [ 5 ]
            oleg_nenashev Oleg Nenashev made changes -
            Labels security test lts-candidate security test
            jglick Jesse Glick made changes -
            Labels lts-candidate security test security test


              jglick Jesse Glick
              jglick Jesse Glick
              0 Vote for this issue
              6 Start watching this issue