Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67227

jenkins.war 2.303.3 bundles remoting.jar with an expired self-signed certificate


    • 2.323

      As per https://www.jenkins.io/changelog-stable/ release 2.249.1 "switches agent.jar and remoting.jar to a code-signing certificate owned by the CDF". This is indeed the case as can be verified by downloading the said jenkins.war, unzipping it and running 


      jarsigner -verbose:summary -verify WEB-INF\lib\remoting-4.5.jar


      This certificate is used up until release 2.303.2 but then for some reason in 2.303.3 this happens:

      jarsigner -verbose:summary -verify WEB-INF\lib\remoting-4.10.1.jar

      s 131429 Fri Oct 22 16:49:26 EEST 2021 META-INF/MANIFEST.MF
      131410 Fri Oct 22 16:49:26 EEST 2021 META-INF/JENKINS.SF (and 1 more)
      0 Fri Oct 22 16:49:08 EEST 2021 META-INF/ (and 80 more)
      sm 1137 Fri Oct 22 16:48:42 EEST 2021 META-INF/annotations/org.kohsuke.accmod.Restricted (and 942 more)

      s = signature was verified
      m = entry is listed in manifest
      k = at least one certificate was found in keystore

      • Signed by "CN=Unknown, OU=Jenkins project, O=Continuous Integration Server, L=San Jose, ST=California, C=US"
        Digest algorithm: SHA-256
        Signature algorithm: SHA256withDSA, 1024-bit key

      jar verified.

      This jar contains entries whose signer certificate has expired.
      This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      This jar contains entries whose signer certificate is self-signed.
      This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as 2021-01-30).

      Re-run with the -verbose and -certs options for more details.

            jthompson Jeff Thompson
            jamppajanik Jani Koivulainen
            0 Vote for this issue
            4 Start watching this issue