Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37567

Setup code signing to be able to release Remoting without Kohsuke

    XMLWordPrintable

Details

    Description

      Currently remoting can be released by kohsuke only, and it complicates the things especially since we want to establish a remoting backporting flow for remoting 2.

      I should get a verified key and start releasing remoting without it.
      Getting of the organization key is complicated according to our last investigation

      Attachments

        Activity

          oleg_nenashev Oleg Nenashev added a comment -

          The certificate got delayed

          oleg_nenashev Oleg Nenashev added a comment - The certificate got delayed
          oleg_nenashev Oleg Nenashev added a comment -

          Created pull request with patches: #158

          I have attached JAR to the JIRA ticket. I would appreciate if somebody could test it and confirm that JAR is being considered as signed by a trusted source. It is critical for JNLP start on Windows at least. CC @slide and @jtnord since they maybe have a ready environment for it. If required, I can try to package Jenkins core with a signed version.

           

          remoting-3.8-SNAPSHOT.jar

          oleg_nenashev Oleg Nenashev added a comment - Created pull request with patches: #158 I have attached JAR to the JIRA ticket. I would appreciate if somebody could test it and confirm that JAR is being considered as signed by a trusted source. It is critical for JNLP start on Windows at least. CC @slide and @jtnord since they maybe have a ready environment for it. If required, I can try to package Jenkins core with a signed version.   remoting-3.8-SNAPSHOT.jar
          abayer Andrew Bayer added a comment -

          Worked fine on OS X in a quick test.

          abayer Andrew Bayer added a comment - Worked fine on OS X in a quick test.
          oleg_nenashev Oleg Nenashev added a comment -

          abayer Did you ensure that Java actually tried to check the signature? IIRC it is no a default behavior on Mac OS

          oleg_nenashev Oleg Nenashev added a comment - abayer Did you ensure that Java actually tried to check the signature? IIRC it is no a default behavior on Mac OS
          abayer Andrew Bayer added a comment -

          Whoops -

          ─○ jarsigner -verify ~/Downloads/remoting-3.8-SNAPSHOT.jar
          Picked up JAVA_TOOL_OPTIONS: -Dapple.awt.UIElement=true
          jar is unsigned. (signatures missing or not parsable)
          

          So...no. Not signed.

          abayer Andrew Bayer added a comment - Whoops - ─○ jarsigner -verify ~/Downloads/remoting-3.8-SNAPSHOT.jar Picked up JAVA_TOOL_OPTIONS: -Dapple.awt.UIElement= true jar is unsigned. (signatures missing or not parsable) So...no. Not signed.
          oleg_nenashev Oleg Nenashev added a comment -

          Output on a fresh VM for me:

           

          {noformat}

          sm      4351 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/Starter.class
          sm       741 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/Utilities.class
          sm      4092 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/XmlParser.class

            s = signature was verified
            m = entry is listed in manifest
            k = at least one certificate was found in keystore
            i = at least one certificate was found in identity scope

          • Signed by "EMAILADDRESS=o.v.nenashev@gmail.com, CN="Open Source Developer, Oleg Nenashev", O=Open Source Developer, C=CH"
                Digest algorithm: SHA-256
                Signature algorithm: SHA256withRSA, 2048-bit key
              Timestamped by "CN=Certum EV TSA SHA2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL" on Fri Apr 28 13:27:47 UTC 2017
                Timestamp digest algorithm: SHA-256
                Timestamp signature algorithm: SHA256withRSA, 2048-bit key

          jar verified.

          Warning:
          This jar contains entries whose certificate chain is not validated.

          {noformat}

          oleg_nenashev Oleg Nenashev added a comment - Output on a fresh VM for me:   {noformat} sm      4351 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/Starter.class sm       741 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/Utilities.class sm      4092 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/XmlParser.class   s = signature was verified   m = entry is listed in manifest   k = at least one certificate was found in keystore   i = at least one certificate was found in identity scope Signed by "EMAILADDRESS=o.v.nenashev@gmail.com, CN="Open Source Developer, Oleg Nenashev", O=Open Source Developer, C=CH"     Digest algorithm: SHA-256     Signature algorithm: SHA256withRSA, 2048-bit key   Timestamped by "CN=Certum EV TSA SHA2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL" on Fri Apr 28 13:27:47 UTC 2017     Timestamp digest algorithm: SHA-256     Timestamp signature algorithm: SHA256withRSA, 2048-bit key jar verified. Warning: This jar contains entries whose certificate chain is not validated. {noformat}
          abayer Andrew Bayer added a comment -

          I take that back, I honestly don't know what JVM was used for that run. With /Library/Java/JavaVirtualMachines/jdk1.8.0.jdk/Contents/Home/bin/jarsigner (where java -version gives Java(TM) SE Runtime Environment (build 1.8.0-b132), I get the right result.

          abayer Andrew Bayer added a comment - I take that back, I honestly don't know what JVM was used for that run. With /Library/Java/JavaVirtualMachines/jdk1.8.0.jdk/Contents/Home/bin/jarsigner (where java -version gives Java(TM) SE Runtime Environment (build 1.8.0-b132) , I get the right result.

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/remoting/0c2a61266d6ee021bebb32ff78f4873ffc18bce8
          Log:
          JENKINS-37567 - Update maven Jar Signer and add provider/tsa options

          I have a hardware crypto key for signing remoting, hence the original available options are not enough for me.
          I decided to add more options, but it needs sign-off from kohsuke that he still can sign the stuff with his key.

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/remoting/0c2a61266d6ee021bebb32ff78f4873ffc18bce8 Log: JENKINS-37567 - Update maven Jar Signer and add provider/tsa options I have a hardware crypto key for signing remoting, hence the original available options are not enough for me. I decided to add more options, but it needs sign-off from kohsuke that he still can sign the stuff with his key.

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/remoting/9fae467430dea195e28c190a9f93fafc43e636b8
          Log:
          Merge pull request #158 from oleg-nenashev/JENKINS-37567

          JENKINS-37567 - Update maven Jar Signer and add provider/tsa options

          Compare: https://github.com/jenkinsci/remoting/compare/76c9b8ccf14f...9fae467430de

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/remoting/9fae467430dea195e28c190a9f93fafc43e636b8 Log: Merge pull request #158 from oleg-nenashev/ JENKINS-37567 JENKINS-37567 - Update maven Jar Signer and add provider/tsa options Compare: https://github.com/jenkinsci/remoting/compare/76c9b8ccf14f...9fae467430de

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          core/src/test/java/hudson/LauncherTest.java
          pom.xml
          test/src/test/java/hudson/slaves/JNLPLauncherTest.java
          http://jenkins-ci.org/commit/jenkins/e7cdd6517cf25940a497f9abced72c888a398720
          Log:
          JENKINS-39370 - Update Remoting in Jenkins core to 3.10 (#2886)

          • Update Remoting in Jenkins core to 3.8
          • JENKINS-39370 - Introduce support of Work Directories in remoting (opt-in).
          • PR 129 - Allow configuring java.util.logging settings via a property file (-loggingConfig or JUL system property). See the Logging page for more details.
          • JENKINS-37567 - Change of the code signing certificate

          More info: https://github.com/jenkinsci/remoting/blob/master/CHANGELOG.md#38

          • JENKINS-39370 - Add direct tests for JNLP Launcher start with -workDir
          • Pick Remoting 3.9
          • Improve error message of LauncherTest#remoteKill()
          • Update Remoting to 3.10
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: core/src/test/java/hudson/LauncherTest.java pom.xml test/src/test/java/hudson/slaves/JNLPLauncherTest.java http://jenkins-ci.org/commit/jenkins/e7cdd6517cf25940a497f9abced72c888a398720 Log: JENKINS-39370 - Update Remoting in Jenkins core to 3.10 (#2886) Update Remoting in Jenkins core to 3.8 JENKINS-39370 - Introduce support of Work Directories in remoting (opt-in). PR 129 - Allow configuring java.util.logging settings via a property file (-loggingConfig or JUL system property). See the Logging page for more details. JENKINS-37567 - Change of the code signing certificate More info: https://github.com/jenkinsci/remoting/blob/master/CHANGELOG.md#38 JENKINS-39370 - Add direct tests for JNLP Launcher start with -workDir Pick Remoting 3.9 Improve error message of LauncherTest#remoteKill() Update Remoting to 3.10
          oleg_nenashev Oleg Nenashev added a comment -

          I finally figured out why the signing does not work as expected on my machine. I need to add a new "certchain" option to Maven JarSigner. It is tracked as https://issues.apache.org/jira/browse/MJARSIGNER-53  . I am going to workaround it and use a custom build for a while using Maven profiles.

          oleg_nenashev Oleg Nenashev added a comment - I finally figured out why the signing does not work as expected on my machine. I need to add a new "certchain" option to Maven JarSigner. It is tracked as https://issues.apache.org/jira/browse/MJARSIGNER-53   . I am going to workaround it and use a custom build for a while using Maven profiles.

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/remoting/99ffa3c0519743319767b372df452eb7e02c5b66
          Log:
          JENKINS-37567 - Add option to specify certchain, enforce certificate checks

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/remoting/99ffa3c0519743319767b372df452eb7e02c5b66 Log: JENKINS-37567 - Add option to specify certchain, enforce certificate checks

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/remoting/ca48837eec5f9cea18653528ac68ce041cdc656c
          Log:
          Merge pull request #190 from oleg-nenashev/buildflow/JENKINS-37567

          JENKINS-37567 - Add option to specify certchain, enforce certificate checks

          Compare: https://github.com/jenkinsci/remoting/compare/a052a5ac45b3...ca48837eec5f

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/remoting/ca48837eec5f9cea18653528ac68ce041cdc656c Log: Merge pull request #190 from oleg-nenashev/buildflow/ JENKINS-37567 JENKINS-37567 - Add option to specify certchain, enforce certificate checks Compare: https://github.com/jenkinsci/remoting/compare/a052a5ac45b3...ca48837eec5f
          oleg_nenashev Oleg Nenashev added a comment - - edited

          The fix has been integrated towards Remoting 3.11 and Jenkins 2.76

          oleg_nenashev Oleg Nenashev added a comment - - edited The fix has been integrated towards Remoting 3.11 and Jenkins 2.76

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/remoting/bc9be8a75f0a3a36e1a0f57fa3130645ed319121
          Log:
          JENKINS-37567 - Add option to specify certchain, enforce certificate checks

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/remoting/bc9be8a75f0a3a36e1a0f57fa3130645ed319121 Log: JENKINS-37567 - Add option to specify certchain, enforce certificate checks

          People

            oleg_nenashev Oleg Nenashev
            oleg_nenashev Oleg Nenashev
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: