Status: Resolved (View Workflow)
If we unzip the current release of the docker plugin (0.16.2) we see the following
unzip -l ~/Downloads/docker-plugin.hpi Archive: /Users/stephenc/Downloads/docker-plugin.hpi Length Date Time Name --------- ---------- ----- ---- [snip] 673715 09-13-2016 14:04 WEB-INF/lib/bcpkix-jdk15on-1.54.jar 3277268 09-13-2016 14:04 WEB-INF/lib/bcprov-jdk15on-1.54.jar [snip] --------- ------- 22911566 64 files
These files conflict with the bouncycastle jars bundled in the baseline version of Jenkins that 0.16.2 ships with and depending on plugin classloader initialization order, can cause a series of very hard to trace issues with crypto within Jenkins.
The normal solution would be to shade the jar that was being bundled, however as bouncycastle is a JCA provider and must be signed by a trusted JCA provider code signing key, this is not an option.
The solution is to replace the bundled bouncycastle jars with a dependency on the bouncycastle-api plugin.
As the version of bouncycastle required by the docker plugin is 1.54, this will also require bumping the core version to at least 1.648
Once the core version dependency reaches 2.16 - at which point bouncycastle was removed from core - then the dependency on the bouncycastle-api plugin becomes critical as all plugins are required to be getting their bouncycastle from that plugin...
- relates to
JENKINS-36923 Move bcpkix dependency from jenkins-war to bouncycastle-api plugin
- links to
Code changed in jenkins
User: Stephen Connolly
[FIXED JENKINS-39473] Switch to bouncycastle-api plugin for bouncycastle jars (#456)