Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67227

jenkins.war 2.303.3 bundles remoting.jar with an expired self-signed certificate

    • 2.323

      As per https://www.jenkins.io/changelog-stable/ release 2.249.1 "switches agent.jar and remoting.jar to a code-signing certificate owned by the CDF". This is indeed the case as can be verified by downloading the said jenkins.war, unzipping it and running 

       

      jarsigner -verbose:summary -verify WEB-INF\lib\remoting-4.5.jar

       

      This certificate is used up until release 2.303.2 but then for some reason in 2.303.3 this happens:

      jarsigner -verbose:summary -verify WEB-INF\lib\remoting-4.10.1.jar

      s 131429 Fri Oct 22 16:49:26 EEST 2021 META-INF/MANIFEST.MF
      131410 Fri Oct 22 16:49:26 EEST 2021 META-INF/JENKINS.SF (and 1 more)
      0 Fri Oct 22 16:49:08 EEST 2021 META-INF/ (and 80 more)
      sm 1137 Fri Oct 22 16:48:42 EEST 2021 META-INF/annotations/org.kohsuke.accmod.Restricted (and 942 more)

      s = signature was verified
      m = entry is listed in manifest
      k = at least one certificate was found in keystore

      • Signed by "CN=Unknown, OU=Jenkins project, O=Continuous Integration Server, L=San Jose, ST=California, C=US"
        Digest algorithm: SHA-256
        Signature algorithm: SHA256withDSA, 1024-bit key

      jar verified.

      Warning:
      This jar contains entries whose signer certificate has expired.
      This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      This jar contains entries whose signer certificate is self-signed.
      This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as 2021-01-30).

      Re-run with the -verbose and -certs options for more details.

          [JENKINS-67227] jenkins.war 2.303.3 bundles remoting.jar with an expired self-signed certificate

          Jani Koivulainen created issue -
          Jani Koivulainen made changes -
          Description Original: As per [https://www.jenkins.io/changelog-stable/] release 2.249.1 "switches agent.jar and remoting.jar to a code-signing certificate owned by the CDF". This is indeed the cases as can be verified by downloading the said jenkins.war, unzipping it and running 

           

          jarsigner -verbose:summary -verify WEB-INF\lib\remoting-4.5.jar

           

          This certificate is used up until release 2.303.2 but then for some reason in 2.303.3 this happens:

          jarsigner -verbose:summary -verify WEB-INF\lib\remoting-4.10.1.jar

          s 131429 Fri Oct 22 16:49:26 EEST 2021 META-INF/MANIFEST.MF
           131410 Fri Oct 22 16:49:26 EEST 2021 META-INF/JENKINS.SF (and 1 more)
           0 Fri Oct 22 16:49:08 EEST 2021 META-INF/ (and 80 more)
          sm 1137 Fri Oct 22 16:48:42 EEST 2021 META-INF/annotations/org.kohsuke.accmod.Restricted (and 942 more)

          s = signature was verified
           m = entry is listed in manifest
           k = at least one certificate was found in keystore

          - *Signed by "CN=Unknown, OU=Jenkins project, O=Continuous Integration Server, L=San Jose, ST=California, C=US"*
           Digest algorithm: SHA-256
           Signature algorithm: SHA256withDSA, 1024-bit key

          jar verified.

          Warning:
          *This jar contains entries whose signer certificate has expired.*
          *This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target*
          *This jar contains entries whose signer certificate is self-signed.*
          This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as 2021-01-30).

          Re-run with the -verbose and -certs options for more details.
          New: As per [https://www.jenkins.io/changelog-stable/] release 2.249.1 "switches agent.jar and remoting.jar to a code-signing certificate owned by the CDF". This is indeed the case as can be verified by downloading the said jenkins.war, unzipping it and running 

           

          jarsigner -verbose:summary -verify WEB-INF\lib\remoting-4.5.jar

           

          This certificate is used up until release 2.303.2 but then for some reason in 2.303.3 this happens:

          jarsigner -verbose:summary -verify WEB-INF\lib\remoting-4.10.1.jar

          s 131429 Fri Oct 22 16:49:26 EEST 2021 META-INF/MANIFEST.MF
           131410 Fri Oct 22 16:49:26 EEST 2021 META-INF/JENKINS.SF (and 1 more)
           0 Fri Oct 22 16:49:08 EEST 2021 META-INF/ (and 80 more)
           sm 1137 Fri Oct 22 16:48:42 EEST 2021 META-INF/annotations/org.kohsuke.accmod.Restricted (and 942 more)

          s = signature was verified
           m = entry is listed in manifest
           k = at least one certificate was found in keystore
           - *Signed by "CN=Unknown, OU=Jenkins project, O=Continuous Integration Server, L=San Jose, ST=California, C=US"*
           Digest algorithm: SHA-256
           Signature algorithm: SHA256withDSA, 1024-bit key

          jar verified.

          Warning:
           *This jar contains entries whose signer certificate has expired.*
           *This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target*
           *This jar contains entries whose signer certificate is self-signed.*
           This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as 2021-01-30).

          Re-run with the -verbose and -certs options for more details.

          Daniel Beck added a comment -

          Sorry about that. I forgot that we're signing remoting, and staged it from a separate environment as preparation for the delivery of security fixes in and related to that component.

          Daniel Beck added a comment - Sorry about that. I forgot that we're signing remoting, and staged it from a separate environment as preparation for the delivery of security fixes in and related to that component .
          Daniel Beck made changes -
          Labels New: lts-candidate

          Jeff Thompson added a comment -

          I guess some people are actually checking or using that.

          Jeff Thompson added a comment - I guess some people are actually checking or using that.

          Daniel Beck added a comment -

          Daniel Beck added a comment - https://github.com/jenkinsci/jenkins/pull/5983 (weekly, 2.323 or 2.324) + https://github.com/jenkinsci/jenkins/pull/5984 (hopefully towards 2.319.1)
          Daniel Beck made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Daniel Beck made changes -
          Status Original: In Progress [ 3 ] New: In Review [ 10005 ]

          Jesse Glick added a comment -

          Reporter, out of curiosity, why were you checking the signature on this JAR to begin with? AFAIK the signature is not used by any product feature.

          Jesse Glick added a comment - Reporter, out of curiosity, why were you checking the signature on this JAR to begin with? AFAIK the signature is not used by any product feature.
          Jani Koivulainen made changes -
          Attachment New: image.png [ 56863 ]

            jthompson Jeff Thompson
            jamppajanik Jani Koivulainen
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: