If we unzip the current release of the docker plugin (0.16.2) we see the following

unzip -l ~/Downloads/docker-plugin.hpi 
Archive:  /Users/stephenc/Downloads/docker-plugin.hpi
  Length      Date    Time    Name
---------  ---------- -----   ----
[snip]
   673715  09-13-2016 14:04   WEB-INF/lib/bcpkix-jdk15on-1.54.jar
  3277268  09-13-2016 14:04   WEB-INF/lib/bcprov-jdk15on-1.54.jar
[snip]
---------                     -------
 22911566                     64 files

These files conflict with the bouncycastle jars bundled in the baseline version of Jenkins that 0.16.2 ships with and depending on plugin classloader initialization order, can cause a series of very hard to trace issues with crypto within Jenkins.

The normal solution would be to shade the jar that was being bundled, however as bouncycastle is a JCA provider and must be signed by a trusted JCA provider code signing key, this is not an option.

The solution is to replace the bundled bouncycastle jars with a dependency on the bouncycastle-api plugin.

As the version of bouncycastle required by the docker plugin is 1.54, this will also require bumping the core version to at least 1.648

Once the core version dependency reaches 2.16 - at which point bouncycastle was removed from core - then the dependency on the bouncycastle-api plugin becomes critical as all plugins are required to be getting their bouncycastle from that plugin...