Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37567

Setup code signing to be able to release Remoting without Kohsuke

    • Icon: Task Task
    • Resolution: Fixed
    • Icon: Critical Critical
    • core, remoting
    • None

      Currently remoting can be released by kohsuke only, and it complicates the things especially since we want to establish a remoting backporting flow for remoting 2.

      I should get a verified key and start releasing remoting without it.
      Getting of the organization key is complicated according to our last investigation

          [JENKINS-37567] Setup code signing to be able to release Remoting without Kohsuke

          Oleg Nenashev added a comment -

          Output on a fresh VM for me:

           

          {noformat}

          sm      4351 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/Starter.class
          sm       741 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/Utilities.class
          sm      4092 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/XmlParser.class

            s = signature was verified
            m = entry is listed in manifest
            k = at least one certificate was found in keystore
            i = at least one certificate was found in identity scope

          • Signed by "EMAILADDRESS=o.v.nenashev@gmail.com, CN="Open Source Developer, Oleg Nenashev", O=Open Source Developer, C=CH"
                Digest algorithm: SHA-256
                Signature algorithm: SHA256withRSA, 2048-bit key
              Timestamped by "CN=Certum EV TSA SHA2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL" on Fri Apr 28 13:27:47 UTC 2017
                Timestamp digest algorithm: SHA-256
                Timestamp signature algorithm: SHA256withRSA, 2048-bit key

          jar verified.

          Warning:
          This jar contains entries whose certificate chain is not validated.

          {noformat}

          Oleg Nenashev added a comment - Output on a fresh VM for me:   {noformat} sm      4351 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/Starter.class sm       741 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/Utilities.class sm      4092 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/XmlParser.class   s = signature was verified   m = entry is listed in manifest   k = at least one certificate was found in keystore   i = at least one certificate was found in identity scope Signed by "EMAILADDRESS=o.v.nenashev@gmail.com, CN="Open Source Developer, Oleg Nenashev", O=Open Source Developer, C=CH"     Digest algorithm: SHA-256     Signature algorithm: SHA256withRSA, 2048-bit key   Timestamped by "CN=Certum EV TSA SHA2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL" on Fri Apr 28 13:27:47 UTC 2017     Timestamp digest algorithm: SHA-256     Timestamp signature algorithm: SHA256withRSA, 2048-bit key jar verified. Warning: This jar contains entries whose certificate chain is not validated. {noformat}

          Andrew Bayer added a comment -

          I take that back, I honestly don't know what JVM was used for that run. With /Library/Java/JavaVirtualMachines/jdk1.8.0.jdk/Contents/Home/bin/jarsigner (where java -version gives Java(TM) SE Runtime Environment (build 1.8.0-b132), I get the right result.

          Andrew Bayer added a comment - I take that back, I honestly don't know what JVM was used for that run. With /Library/Java/JavaVirtualMachines/jdk1.8.0.jdk/Contents/Home/bin/jarsigner (where java -version gives Java(TM) SE Runtime Environment (build 1.8.0-b132) , I get the right result.

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/remoting/0c2a61266d6ee021bebb32ff78f4873ffc18bce8
          Log:
          JENKINS-37567 - Update maven Jar Signer and add provider/tsa options

          I have a hardware crypto key for signing remoting, hence the original available options are not enough for me.
          I decided to add more options, but it needs sign-off from kohsuke that he still can sign the stuff with his key.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/remoting/0c2a61266d6ee021bebb32ff78f4873ffc18bce8 Log: JENKINS-37567 - Update maven Jar Signer and add provider/tsa options I have a hardware crypto key for signing remoting, hence the original available options are not enough for me. I decided to add more options, but it needs sign-off from kohsuke that he still can sign the stuff with his key.

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/remoting/9fae467430dea195e28c190a9f93fafc43e636b8
          Log:
          Merge pull request #158 from oleg-nenashev/JENKINS-37567

          JENKINS-37567 - Update maven Jar Signer and add provider/tsa options

          Compare: https://github.com/jenkinsci/remoting/compare/76c9b8ccf14f...9fae467430de

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/remoting/9fae467430dea195e28c190a9f93fafc43e636b8 Log: Merge pull request #158 from oleg-nenashev/ JENKINS-37567 JENKINS-37567 - Update maven Jar Signer and add provider/tsa options Compare: https://github.com/jenkinsci/remoting/compare/76c9b8ccf14f...9fae467430de

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          core/src/test/java/hudson/LauncherTest.java
          pom.xml
          test/src/test/java/hudson/slaves/JNLPLauncherTest.java
          http://jenkins-ci.org/commit/jenkins/e7cdd6517cf25940a497f9abced72c888a398720
          Log:
          JENKINS-39370 - Update Remoting in Jenkins core to 3.10 (#2886)

          • Update Remoting in Jenkins core to 3.8
          • JENKINS-39370 - Introduce support of Work Directories in remoting (opt-in).
          • PR 129 - Allow configuring java.util.logging settings via a property file (-loggingConfig or JUL system property). See the Logging page for more details.
          • JENKINS-37567 - Change of the code signing certificate

          More info: https://github.com/jenkinsci/remoting/blob/master/CHANGELOG.md#38

          • JENKINS-39370 - Add direct tests for JNLP Launcher start with -workDir
          • Pick Remoting 3.9
          • Improve error message of LauncherTest#remoteKill()
          • Update Remoting to 3.10

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: core/src/test/java/hudson/LauncherTest.java pom.xml test/src/test/java/hudson/slaves/JNLPLauncherTest.java http://jenkins-ci.org/commit/jenkins/e7cdd6517cf25940a497f9abced72c888a398720 Log: JENKINS-39370 - Update Remoting in Jenkins core to 3.10 (#2886) Update Remoting in Jenkins core to 3.8 JENKINS-39370 - Introduce support of Work Directories in remoting (opt-in). PR 129 - Allow configuring java.util.logging settings via a property file (-loggingConfig or JUL system property). See the Logging page for more details. JENKINS-37567 - Change of the code signing certificate More info: https://github.com/jenkinsci/remoting/blob/master/CHANGELOG.md#38 JENKINS-39370 - Add direct tests for JNLP Launcher start with -workDir Pick Remoting 3.9 Improve error message of LauncherTest#remoteKill() Update Remoting to 3.10

          Oleg Nenashev added a comment -

          I finally figured out why the signing does not work as expected on my machine. I need to add a new "certchain" option to Maven JarSigner. It is tracked as https://issues.apache.org/jira/browse/MJARSIGNER-53  . I am going to workaround it and use a custom build for a while using Maven profiles.

          Oleg Nenashev added a comment - I finally figured out why the signing does not work as expected on my machine. I need to add a new "certchain" option to Maven JarSigner. It is tracked as https://issues.apache.org/jira/browse/MJARSIGNER-53   . I am going to workaround it and use a custom build for a while using Maven profiles.

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/remoting/99ffa3c0519743319767b372df452eb7e02c5b66
          Log:
          JENKINS-37567 - Add option to specify certchain, enforce certificate checks

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/remoting/99ffa3c0519743319767b372df452eb7e02c5b66 Log: JENKINS-37567 - Add option to specify certchain, enforce certificate checks

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/remoting/ca48837eec5f9cea18653528ac68ce041cdc656c
          Log:
          Merge pull request #190 from oleg-nenashev/buildflow/JENKINS-37567

          JENKINS-37567 - Add option to specify certchain, enforce certificate checks

          Compare: https://github.com/jenkinsci/remoting/compare/a052a5ac45b3...ca48837eec5f

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/remoting/ca48837eec5f9cea18653528ac68ce041cdc656c Log: Merge pull request #190 from oleg-nenashev/buildflow/ JENKINS-37567 JENKINS-37567 - Add option to specify certchain, enforce certificate checks Compare: https://github.com/jenkinsci/remoting/compare/a052a5ac45b3...ca48837eec5f

          Oleg Nenashev added a comment - - edited

          The fix has been integrated towards Remoting 3.11 and Jenkins 2.76

          Oleg Nenashev added a comment - - edited The fix has been integrated towards Remoting 3.11 and Jenkins 2.76

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/remoting/bc9be8a75f0a3a36e1a0f57fa3130645ed319121
          Log:
          JENKINS-37567 - Add option to specify certchain, enforce certificate checks

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/remoting/bc9be8a75f0a3a36e1a0f57fa3130645ed319121 Log: JENKINS-37567 - Add option to specify certchain, enforce certificate checks

            oleg_nenashev Oleg Nenashev
            oleg_nenashev Oleg Nenashev
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: