Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25625

SECURITY-144-compat usage breaks tests due to code signing

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Take a plugin which has a dependency on maven-plugin, such as copyartifact. Now update the dependency to 2.7.1 and try to run functional tests. Everything blows up:

      === Starting CopyArtifactTest.testMavenJobWithArchivePostBuildStep
      ... hudson.model.AbstractBuild$AbstractBuildExecution reportError
      WARNING: Publisher hudson.tasks.ArtifactArchiver aborted due to exception
      java.lang.SecurityException: class "org.jenkinsci.remoting.CallableDecorator"'s signer information does not match signer information of other classes in the same package
      	at java.lang.ClassLoader.checkCerts(ClassLoader.java:952)
      	at java.lang.ClassLoader.preDefineClass(ClassLoader.java:666)
      	at java.lang.ClassLoader.defineClass(ClassLoader.java:794)
      	at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
      	at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
      	at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
      	at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
      	at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
      	at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
      	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
      	at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
      	at jenkins.FilePathFilter.current(FilePathFilter.java:108)
      	at hudson.FilePath.reading(FilePath.java:2677)
      	at hudson.FilePath.access$000(FilePath.java:190)
      	at hudson.FilePath$40.invoke(FilePath.java:2034)
      	at hudson.FilePath$40.invoke(FilePath.java:2027)
      	at hudson.FilePath.act(FilePath.java:980)
      	at hudson.FilePath.act(FilePath.java:958)
      	at hudson.FilePath.copyRecursiveTo(FilePath.java:2027)
      	at jenkins.model.StandardArtifactManager.archive(StandardArtifactManager.java:61)
      	at hudson.tasks.ArtifactArchiver.perform(ArtifactArchiver.java:218)
      	at hudson.tasks.BuildStepCompatibilityLayer.perform(BuildStepCompatibilityLayer.java:74)
      	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:770)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:734)
      	at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.post2(MavenModuleSetBuild.java:1037)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:683)
      	at hudson.model.Run.execute(Run.java:1770)
      	at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:529)
      	at hudson.model.ResourceController.execute(ResourceController.java:89)
      	at hudson.model.Executor.run(Executor.java:240)
      

      This is because remoting.jar is signed (which IMO it should not be), yet SECURITY-144-compat.jar is not.

      As a workaround it suffices to add

      <exclusions>
        <exclusion>
          <groupId>org.jenkins-ci</groupId>
          <artifactId>SECURITY-144-compat</artifactId>
        </exclusion>
      </exclusions>
      

      to the dependency, but this is not going to be sustainable if other plugins start adding the dep too.

        Attachments

          Issue Links

            Activity

            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            The issue still exists in 1.609.1

            Show
            oleg_nenashev Oleg Nenashev added a comment - The issue still exists in 1.609.1
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            src/main/java/hudson/maven/MavenModuleSet.java
            src/main/java/hudson/maven/MavenModuleSetBuild.java
            http://jenkins-ci.org/commit/maven-plugin/c5223dea3ec253d24e76f1939501a1a80cfad348
            Log:
            Update baseline to 1.580.1.
            This allows us to pick up the SECURITY-144 fix from core and thus avoid JENKINS-25625.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/main/java/hudson/maven/MavenModuleSet.java src/main/java/hudson/maven/MavenModuleSetBuild.java http://jenkins-ci.org/commit/maven-plugin/c5223dea3ec253d24e76f1939501a1a80cfad348 Log: Update baseline to 1.580.1. This allows us to pick up the SECURITY-144 fix from core and thus avoid JENKINS-25625 .
            Hide
            integer Kanstantsin Shautsou added a comment -

            What is the status of this issue? Updated plugin core from 1.609.3 to 1.625.3 and got the same error.

            Show
            integer Kanstantsin Shautsou added a comment - What is the status of this issue? Updated plugin core from 1.609.3 to 1.625.3 and got the same error.
            Hide
            integer Kanstantsin Shautsou added a comment -

            Found (resolved), in my case because of different remoting jars on jenkins jvm and CLI connection.

            Show
            integer Kanstantsin Shautsou added a comment - Found (resolved), in my case because of different remoting jars on jenkins jvm and CLI connection.
            Hide
            jglick Jesse Glick added a comment -

            Did not find any remaining usages of the compat library, just some old exclusions.

            Show
            jglick Jesse Glick added a comment - Did not find any remaining usages of the compat library, just some old exclusions.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            test/pom.xml
            http://jenkins-ci.org/commit/jenkins/adf01d08884bcebbb802543fb71c68073bb6c7cc
            Log:
            Merge pull request #2940 from jglick/cleanup-JENKINS-25625

            JENKINS-25625 Deleting obsolete SECURITY-144-compat exclusion

            Compare: https://github.com/jenkinsci/jenkins/compare/e77048893a7c...adf01d08884b

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: test/pom.xml http://jenkins-ci.org/commit/jenkins/adf01d08884bcebbb802543fb71c68073bb6c7cc Log: Merge pull request #2940 from jglick/cleanup- JENKINS-25625 JENKINS-25625 Deleting obsolete SECURITY-144-compat exclusion Compare: https://github.com/jenkinsci/jenkins/compare/e77048893a7c...adf01d08884b
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            It has been released in 2.71

            Show
            oleg_nenashev Oleg Nenashev added a comment - It has been released in 2.71
            Hide
            jglick Jesse Glick added a comment -

            I see no reason for this to be an lts-candidate. It is just code cleanup.

            Show
            jglick Jesse Glick added a comment - I see no reason for this to be an lts-candidate . It is just code cleanup.

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                jglick Jesse Glick
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: