Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-31089

Signature verification failed in update site 'default'

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • core
    • Mac OS X El Capitan 10.11
      Safari or Chrome or Firefox
      Jenkins 1.631

      Installed pkg for OS X.
      Nothing worked.
      Found out from another page that JDK needs to be installed.
      Installed JDK by going to the link via java in terminal.
      reported java version is 1.8.0_66-b17
      Had to run the uninstall.command in /Library/Application\ Support/Jenkins.
      Then ran install again and got localhost:8080 showing the Jenkins page.
      Went to Manage Jenkins and then Manage Plugins. Plugins list is blank!
      Went to advanced clicked refresh and got the error noted above.
      Clicking (show details) does nothing.
      Update site is set to:
      http://updates.jenkins-ci.org/update-center.json
      Tried other mirrors with no difference in behavior.

          [JENKINS-31089] Signature verification failed in update site 'default'

          Jiri Tyr added a comment -

          Well, I think that the proper fix would be to change the MD5 cryptographic hash algorithm to something else because MD5 is no longer considered secure. Can we expect this to happen any time soon?

          Jiri Tyr added a comment - Well, I think that the proper fix would be to change the MD5 cryptographic hash algorithm to something else because MD5 is no longer considered secure. Can we expect this to happen any time soon?

          Daniel Beck added a comment -

          proper fix would be to change the MD5 cryptographic hash algorithm to something else

          Definitely happening soon(ish), it's just that everyone with the necessary access to the secrets is traveling right now for FOSDEM this weekend (where I will continue to harass them about this).

          I'm just saying this is a new issue, affecting a different version of Java, with a different problem (MD5 algorithm rather than RSA key size), and therefore should be tracked separately.

          Daniel Beck added a comment - proper fix would be to change the MD5 cryptographic hash algorithm to something else Definitely happening soon(ish), it's just that everyone with the necessary access to the secrets is traveling right now for FOSDEM this weekend (where I will continue to harass them about this). I'm just saying this is a new issue, affecting a different version of Java, with a different problem (MD5 algorithm rather than RSA key size), and therefore should be tracked separately.

          Jiri Tyr added a comment -

          Is there a ticket about the change of the cryptographic hash algorithm? If not, could you please create one? If yes, could you please link it to this ticket?

          Please let me know if you need more people to convince the team about the importance of this change and I can join your discussion in Brussels this weekend ;o)

          Jiri Tyr added a comment - Is there a ticket about the change of the cryptographic hash algorithm? If not, could you please create one? If yes, could you please link it to this ticket? Please let me know if you need more people to convince the team about the importance of this change and I can join your discussion in Brussels this weekend ;o)

          Daniel Beck added a comment -

          I filed INFRA-553 for this, as its not an issue in Jenkins itself.

          jtyr Come say hi at http://www.meetup.com/jenkinsmeetup/events/227464036/

          Daniel Beck added a comment - I filed INFRA-553 for this, as its not an issue in Jenkins itself. jtyr Come say hi at http://www.meetup.com/jenkinsmeetup/events/227464036/

          I've been faced with this issue when installing Jenkins 2.1. Proposed solutions on this ticket didn't work for me. I've had to edit /etc/default/jenkins and add the following to JAVA_ARGS:

          -Dhudson.model.DownloadService.noSignatureCheck=true

          I'm not sure if this is considered a different bug.

          Environment:

          Ubuntu 14.04
          OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-0ubuntu4~14.04-b14)
          Jenkins 2.1

          Patxi Gortázar added a comment - I've been faced with this issue when installing Jenkins 2.1. Proposed solutions on this ticket didn't work for me. I've had to edit /etc/default/jenkins and add the following to JAVA_ARGS: -Dhudson.model.DownloadService.noSignatureCheck=true I'm not sure if this is considered a different bug. Environment: Ubuntu 14.04 OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-0ubuntu4~14.04-b14) Jenkins 2.1

          Daniel Beck added a comment -

          gortazar Please file a new bug, and provide more information (relevant jenkins.log excerpts, full error messages, etc.)

          Daniel Beck added a comment - gortazar Please file a new bug, and provide more information (relevant jenkins.log excerpts, full error messages, etc.)

          Patxi Gortázar added a comment - - edited

          danielbeck I've been trying to reproduce this issue on a fresh new Ubuntu 14.04.3, 14.04.4 and 16.04 and was unable to reproduce it. It may be something specific with our machine. Furthermore, no references arise from a google search. I think it is caused by something on our side. Do you still want me to file a new bug?

          Patxi Gortázar added a comment - - edited danielbeck I've been trying to reproduce this issue on a fresh new Ubuntu 14.04.3, 14.04.4 and 16.04 and was unable to reproduce it. It may be something specific with our machine. Furthermore, no references arise from a google search. I think it is caused by something on our side. Do you still want me to file a new bug?

          Daniel Beck added a comment -

          Do you still want me to file a new bug?

          No. Without more information this will not be helpful.

          Daniel Beck added a comment - Do you still want me to file a new bug? No. Without more information this will not be helpful.

          akostadinov added a comment -

          Filed JENKINS-53288 for signature verification check I see with 2.121.3 and a clean install (after applying the RSA 512 fix).

          akostadinov added a comment - Filed JENKINS-53288 for signature verification check I see with 2.121.3 and a clean install (after applying the RSA 512 fix).

          Daniel Beck added a comment -

          FYI we fixed JENKINS-53710 in Jenkins 2.145 that addressed a possible regression related to signature verification in Jenkins 2.130. While we observed the problem only on Java 11, it's possible for it to also occur on Java 8.

          Daniel Beck added a comment - FYI we fixed JENKINS-53710 in Jenkins 2.145 that addressed a possible regression related to signature verification in Jenkins 2.130. While we observed the problem only on Java 11, it's possible for it to also occur on Java 8.

            rtyler R. Tyler Croy
            kalbright Keith Albright
            Votes:
            13 Vote for this issue
            Watchers:
            28 Start watching this issue

              Created:
              Updated:
              Resolved: