-
Bug
-
Resolution: Fixed
-
Minor
-
-
2.323
As per https://www.jenkins.io/changelog-stable/ release 2.249.1 "switches agent.jar and remoting.jar to a code-signing certificate owned by the CDF". This is indeed the case as can be verified by downloading the said jenkins.war, unzipping it and running
jarsigner -verbose:summary -verify WEB-INF\lib\remoting-4.5.jar
This certificate is used up until release 2.303.2 but then for some reason in 2.303.3 this happens:
jarsigner -verbose:summary -verify WEB-INF\lib\remoting-4.10.1.jar
s 131429 Fri Oct 22 16:49:26 EEST 2021 META-INF/MANIFEST.MF
131410 Fri Oct 22 16:49:26 EEST 2021 META-INF/JENKINS.SF (and 1 more)
0 Fri Oct 22 16:49:08 EEST 2021 META-INF/ (and 80 more)
sm 1137 Fri Oct 22 16:48:42 EEST 2021 META-INF/annotations/org.kohsuke.accmod.Restricted (and 942 more)
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
- Signed by "CN=Unknown, OU=Jenkins project, O=Continuous Integration Server, L=San Jose, ST=California, C=US"
Digest algorithm: SHA-256
Signature algorithm: SHA256withDSA, 1024-bit key
jar verified.
Warning:
This jar contains entries whose signer certificate has expired.
This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This jar contains entries whose signer certificate is self-signed.
This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as 2021-01-30).
Re-run with the -verbose and -certs options for more details.
[JENKINS-67227] jenkins.war 2.303.3 bundles remoting.jar with an expired self-signed certificate
Description |
Original:
As per [https://www.jenkins.io/changelog-stable/] release 2.249.1 "switches agent.jar and remoting.jar to a code-signing certificate owned by the CDF". This is indeed the cases as can be verified by downloading the said jenkins.war, unzipping it and running
jarsigner -verbose:summary -verify WEB-INF\lib\remoting-4.5.jar This certificate is used up until release 2.303.2 but then for some reason in 2.303.3 this happens: jarsigner -verbose:summary -verify WEB-INF\lib\remoting-4.10.1.jar s 131429 Fri Oct 22 16:49:26 EEST 2021 META-INF/MANIFEST.MF 131410 Fri Oct 22 16:49:26 EEST 2021 META-INF/JENKINS.SF (and 1 more) 0 Fri Oct 22 16:49:08 EEST 2021 META-INF/ (and 80 more) sm 1137 Fri Oct 22 16:48:42 EEST 2021 META-INF/annotations/org.kohsuke.accmod.Restricted (and 942 more) s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore - *Signed by "CN=Unknown, OU=Jenkins project, O=Continuous Integration Server, L=San Jose, ST=California, C=US"* Digest algorithm: SHA-256 Signature algorithm: SHA256withDSA, 1024-bit key jar verified. Warning: *This jar contains entries whose signer certificate has expired.* *This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target* *This jar contains entries whose signer certificate is self-signed.* This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as 2021-01-30). Re-run with the -verbose and -certs options for more details. |
New:
As per [https://www.jenkins.io/changelog-stable/] release 2.249.1 "switches agent.jar and remoting.jar to a code-signing certificate owned by the CDF". This is indeed the case as can be verified by downloading the said jenkins.war, unzipping it and running
jarsigner -verbose:summary -verify WEB-INF\lib\remoting-4.5.jar This certificate is used up until release 2.303.2 but then for some reason in 2.303.3 this happens: jarsigner -verbose:summary -verify WEB-INF\lib\remoting-4.10.1.jar s 131429 Fri Oct 22 16:49:26 EEST 2021 META-INF/MANIFEST.MF 131410 Fri Oct 22 16:49:26 EEST 2021 META-INF/JENKINS.SF (and 1 more) 0 Fri Oct 22 16:49:08 EEST 2021 META-INF/ (and 80 more) sm 1137 Fri Oct 22 16:48:42 EEST 2021 META-INF/annotations/org.kohsuke.accmod.Restricted (and 942 more) s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore - *Signed by "CN=Unknown, OU=Jenkins project, O=Continuous Integration Server, L=San Jose, ST=California, C=US"* Digest algorithm: SHA-256 Signature algorithm: SHA256withDSA, 1024-bit key jar verified. Warning: *This jar contains entries whose signer certificate has expired.* *This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target* *This jar contains entries whose signer certificate is self-signed.* This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as 2021-01-30). Re-run with the -verbose and -certs options for more details. |
Labels | New: lts-candidate |
Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
Status | Original: In Progress [ 3 ] | New: In Review [ 10005 ] |
Attachment | New: image.png [ 56863 ] |
Sorry about that. I forgot that we're signing remoting, and staged it from a separate environment as preparation for the delivery of security fixes in and related to that component.