Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53288

Signature verification failed in update site 'default' (again)

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I have applied proposed fix from JENKINS-31089 and this is my line in `/usr/lib/jvm/java-openjdk/jre/lib/security/java.security`:

      jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
          RSA keySize < 512, DSA keySize < 1024, EC keySize < 224
      

      But still I'm seeing this in Jenkins 2.121.3 log:

      Aug 28, 2018 3:20:15 PM hudson.model.UpdateSite updateData
      SEVERE: ERROR: Signature verification failed in update site &#039;default&#039; <a href='#' class='showDetails'>(show details)</a><pre style='display:none'>java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: CN=Community Update Center, O=Jenkins Project, ST=California, C=US.<br>	at sun.security.util.DisabledAlgorithmConstraints$KeySizeConstraint.permits(DisabledAlgorithmConstraints.java:817)
      

      Java:

      $ java -version
      openjdk version "1.8.0_181"
      OpenJDK Runtime Environment (build 1.8.0_181-b13)
      OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)
      

      Attached `java.security` from Fedora 28, I can't spot any place where RSA 1024 is blocked.

        Attachments

          Issue Links

            Activity

            Hide
            akostadinov akostadinov added a comment -

            Ok, issue was INFRA-1659, in Fedora 28 there is an additional file `/etc/crypto-policies/back-ends/java.config` that overrides settings in `java.security` and it has `RSA keySize < 2048`. Setting this to `1024` resolved the issue. But it sounds like update center certificate is now time to be updated to 4096 bits.

            Show
            akostadinov akostadinov added a comment - Ok, issue was INFRA-1659 , in Fedora 28 there is an additional file `/etc/crypto-policies/back-ends/java.config` that overrides settings in `java.security` and it has `RSA keySize < 2048`. Setting this to `1024` resolved the issue. But it sounds like update center certificate is now time to be updated to 4096 bits.

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              akostadinov akostadinov
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: