Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37567

Setup code signing to be able to release Remoting without Kohsuke

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Currently remoting can be released by Kohsuke Kawaguchi only, and it complicates the things especially since we want to establish a remoting backporting flow for remoting 2.

      I should get a verified key and start releasing remoting without it.
      Getting of the organization key is complicated according to our last investigation

        Attachments

          Activity

          oleg_nenashev Oleg Nenashev created issue -
          oleg_nenashev Oleg Nenashev made changes -
          Field Original Value New Value
          Epic Link JENKINS-37564 [ 173676 ]
          oleg_nenashev Oleg Nenashev made changes -
          Epic Link JENKINS-37564 [ 173676 ] JENKINS-38833 [ 175240 ]
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          The certificate got delayed

          Show
          oleg_nenashev Oleg Nenashev added a comment - The certificate got delayed
          oleg_nenashev Oleg Nenashev made changes -
          Assignee Oleg Nenashev [ oleg_nenashev ]
          oleg_nenashev Oleg Nenashev made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          oleg_nenashev Oleg Nenashev made changes -
          Attachment remoting-3.8-SNAPSHOT.jar [ 37485 ]
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Created pull request with patches: #158

          I have attached JAR to the JIRA ticket. I would appreciate if somebody could test it and confirm that JAR is being considered as signed by a trusted source. It is critical for JNLP start on Windows at least. CC @slide and @jtnord since they maybe have a ready environment for it. If required, I can try to package Jenkins core with a signed version.

           

          remoting-3.8-SNAPSHOT.jar

          Show
          oleg_nenashev Oleg Nenashev added a comment - Created pull request with patches: #158 I have attached JAR to the JIRA ticket. I would appreciate if somebody could test it and confirm that JAR is being considered as signed by a trusted source. It is critical for JNLP start on Windows at least. CC @slide and @jtnord since they maybe have a ready environment for it. If required, I can try to package Jenkins core with a signed version.   remoting-3.8-SNAPSHOT.jar
          oleg_nenashev Oleg Nenashev made changes -
          Status In Progress [ 3 ] In Review [ 10005 ]
          Hide
          abayer Andrew Bayer added a comment -

          Worked fine on OS X in a quick test.

          Show
          abayer Andrew Bayer added a comment - Worked fine on OS X in a quick test.
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Andrew Bayer Did you ensure that Java actually tried to check the signature? IIRC it is no a default behavior on Mac OS

          Show
          oleg_nenashev Oleg Nenashev added a comment - Andrew Bayer Did you ensure that Java actually tried to check the signature? IIRC it is no a default behavior on Mac OS
          Hide
          abayer Andrew Bayer added a comment -

          Whoops -

          ─○ jarsigner -verify ~/Downloads/remoting-3.8-SNAPSHOT.jar
          Picked up JAVA_TOOL_OPTIONS: -Dapple.awt.UIElement=true
          jar is unsigned. (signatures missing or not parsable)
          

          So...no. Not signed.

          Show
          abayer Andrew Bayer added a comment - Whoops - ─○ jarsigner -verify ~/Downloads/remoting-3.8-SNAPSHOT.jar Picked up JAVA_TOOL_OPTIONS: -Dapple.awt.UIElement= true jar is unsigned. (signatures missing or not parsable) So...no. Not signed.
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Output on a fresh VM for me:

           

          {noformat}

          sm      4351 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/Starter.class
          sm       741 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/Utilities.class
          sm      4092 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/XmlParser.class

            s = signature was verified
            m = entry is listed in manifest
            k = at least one certificate was found in keystore
            i = at least one certificate was found in identity scope

          • Signed by "EMAILADDRESS=o.v.nenashev@gmail.com, CN="Open Source Developer, Oleg Nenashev", O=Open Source Developer, C=CH"
                Digest algorithm: SHA-256
                Signature algorithm: SHA256withRSA, 2048-bit key
              Timestamped by "CN=Certum EV TSA SHA2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL" on Fri Apr 28 13:27:47 UTC 2017
                Timestamp digest algorithm: SHA-256
                Timestamp signature algorithm: SHA256withRSA, 2048-bit key

          jar verified.

          Warning:
          This jar contains entries whose certificate chain is not validated.

          {noformat}

          Show
          oleg_nenashev Oleg Nenashev added a comment - Output on a fresh VM for me:   {noformat} sm      4351 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/Starter.class sm       741 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/Utilities.class sm      4092 Thu Mar 19 18:09:38 CET 2015 org/kohsuke/args4j/XmlParser.class   s = signature was verified   m = entry is listed in manifest   k = at least one certificate was found in keystore   i = at least one certificate was found in identity scope Signed by "EMAILADDRESS=o.v.nenashev@gmail.com, CN="Open Source Developer, Oleg Nenashev", O=Open Source Developer, C=CH"     Digest algorithm: SHA-256     Signature algorithm: SHA256withRSA, 2048-bit key   Timestamped by "CN=Certum EV TSA SHA2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL" on Fri Apr 28 13:27:47 UTC 2017     Timestamp digest algorithm: SHA-256     Timestamp signature algorithm: SHA256withRSA, 2048-bit key jar verified. Warning: This jar contains entries whose certificate chain is not validated. {noformat}
          Hide
          abayer Andrew Bayer added a comment -

          I take that back, I honestly don't know what JVM was used for that run. With /Library/Java/JavaVirtualMachines/jdk1.8.0.jdk/Contents/Home/bin/jarsigner (where java -version gives Java(TM) SE Runtime Environment (build 1.8.0-b132), I get the right result.

          Show
          abayer Andrew Bayer added a comment - I take that back, I honestly don't know what JVM was used for that run. With /Library/Java/JavaVirtualMachines/jdk1.8.0.jdk/Contents/Home/bin/jarsigner (where java -version gives Java(TM) SE Runtime Environment (build 1.8.0-b132) , I get the right result.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/remoting/0c2a61266d6ee021bebb32ff78f4873ffc18bce8
          Log:
          JENKINS-37567 - Update maven Jar Signer and add provider/tsa options

          I have a hardware crypto key for signing remoting, hence the original available options are not enough for me.
          I decided to add more options, but it needs sign-off from kohsuke that he still can sign the stuff with his key.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/remoting/0c2a61266d6ee021bebb32ff78f4873ffc18bce8 Log: JENKINS-37567 - Update maven Jar Signer and add provider/tsa options I have a hardware crypto key for signing remoting, hence the original available options are not enough for me. I decided to add more options, but it needs sign-off from kohsuke that he still can sign the stuff with his key.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/remoting/9fae467430dea195e28c190a9f93fafc43e636b8
          Log:
          Merge pull request #158 from oleg-nenashev/JENKINS-37567

          JENKINS-37567 - Update maven Jar Signer and add provider/tsa options

          Compare: https://github.com/jenkinsci/remoting/compare/76c9b8ccf14f...9fae467430de

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/remoting/9fae467430dea195e28c190a9f93fafc43e636b8 Log: Merge pull request #158 from oleg-nenashev/ JENKINS-37567 JENKINS-37567 - Update maven Jar Signer and add provider/tsa options Compare: https://github.com/jenkinsci/remoting/compare/76c9b8ccf14f...9fae467430de
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          core/src/test/java/hudson/LauncherTest.java
          pom.xml
          test/src/test/java/hudson/slaves/JNLPLauncherTest.java
          http://jenkins-ci.org/commit/jenkins/e7cdd6517cf25940a497f9abced72c888a398720
          Log:
          JENKINS-39370 - Update Remoting in Jenkins core to 3.10 (#2886)

          • Update Remoting in Jenkins core to 3.8
          • JENKINS-39370 - Introduce support of Work Directories in remoting (opt-in).
          • PR 129 - Allow configuring java.util.logging settings via a property file (-loggingConfig or JUL system property). See the Logging page for more details.
          • JENKINS-37567 - Change of the code signing certificate

          More info: https://github.com/jenkinsci/remoting/blob/master/CHANGELOG.md#38

          • JENKINS-39370 - Add direct tests for JNLP Launcher start with -workDir
          • Pick Remoting 3.9
          • Improve error message of LauncherTest#remoteKill()
          • Update Remoting to 3.10
          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: core/src/test/java/hudson/LauncherTest.java pom.xml test/src/test/java/hudson/slaves/JNLPLauncherTest.java http://jenkins-ci.org/commit/jenkins/e7cdd6517cf25940a497f9abced72c888a398720 Log: JENKINS-39370 - Update Remoting in Jenkins core to 3.10 (#2886) Update Remoting in Jenkins core to 3.8 JENKINS-39370 - Introduce support of Work Directories in remoting (opt-in). PR 129 - Allow configuring java.util.logging settings via a property file (-loggingConfig or JUL system property). See the Logging page for more details. JENKINS-37567 - Change of the code signing certificate More info: https://github.com/jenkinsci/remoting/blob/master/CHANGELOG.md#38 JENKINS-39370 - Add direct tests for JNLP Launcher start with -workDir Pick Remoting 3.9 Improve error message of LauncherTest#remoteKill() Update Remoting to 3.10
          oleg_nenashev Oleg Nenashev made changes -
          Status In Review [ 10005 ] In Progress [ 3 ]
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          I finally figured out why the signing does not work as expected on my machine. I need to add a new "certchain" option to Maven JarSigner. It is tracked as https://issues.apache.org/jira/browse/MJARSIGNER-53  . I am going to workaround it and use a custom build for a while using Maven profiles.

          Show
          oleg_nenashev Oleg Nenashev added a comment - I finally figured out why the signing does not work as expected on my machine. I need to add a new "certchain" option to Maven JarSigner. It is tracked as https://issues.apache.org/jira/browse/MJARSIGNER-53   . I am going to workaround it and use a custom build for a while using Maven profiles.
          oleg_nenashev Oleg Nenashev made changes -
          Remote Link This issue links to "MJARSIGNER-53 (Web Link)" [ 17480 ]
          oleg_nenashev Oleg Nenashev made changes -
          Summary Be able to release remoting without Kohsuke Setup code signing to be able to release Remoting without Kohsuke
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/remoting/99ffa3c0519743319767b372df452eb7e02c5b66
          Log:
          JENKINS-37567 - Add option to specify certchain, enforce certificate checks

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/remoting/99ffa3c0519743319767b372df452eb7e02c5b66 Log: JENKINS-37567 - Add option to specify certchain, enforce certificate checks
          oleg_nenashev Oleg Nenashev made changes -
          Remote Link This issue links to "https://github.com/apache/maven-plugins/pull/125 (Web Link)" [ 17481 ]
          oleg_nenashev Oleg Nenashev made changes -
          Remote Link This issue links to "https://github.com/apache/maven-shared/pull/24 (Web Link)" [ 17482 ]
          oleg_nenashev Oleg Nenashev made changes -
          Remote Link This issue links to "https://github.com/jenkinsci/remoting/pull/190 (Web Link)" [ 17483 ]
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/remoting/ca48837eec5f9cea18653528ac68ce041cdc656c
          Log:
          Merge pull request #190 from oleg-nenashev/buildflow/JENKINS-37567

          JENKINS-37567 - Add option to specify certchain, enforce certificate checks

          Compare: https://github.com/jenkinsci/remoting/compare/a052a5ac45b3...ca48837eec5f

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/remoting/ca48837eec5f9cea18653528ac68ce041cdc656c Log: Merge pull request #190 from oleg-nenashev/buildflow/ JENKINS-37567 JENKINS-37567 - Add option to specify certchain, enforce certificate checks Compare: https://github.com/jenkinsci/remoting/compare/a052a5ac45b3...ca48837eec5f
          Hide
          oleg_nenashev Oleg Nenashev added a comment - - edited

          The fix has been integrated towards Remoting 3.11 and Jenkins 2.76

          Show
          oleg_nenashev Oleg Nenashev added a comment - - edited The fix has been integrated towards Remoting 3.11 and Jenkins 2.76
          oleg_nenashev Oleg Nenashev made changes -
          Status In Progress [ 3 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          oleg_nenashev Oleg Nenashev made changes -
          Component/s core [ 15593 ]
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/remoting/bc9be8a75f0a3a36e1a0f57fa3130645ed319121
          Log:
          JENKINS-37567 - Add option to specify certchain, enforce certificate checks

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/remoting/bc9be8a75f0a3a36e1a0f57fa3130645ed319121 Log: JENKINS-37567 - Add option to specify certchain, enforce certificate checks
          jamesdumay James Dumay made changes -
          Remote Link This issue links to "CloudBees Internal OSS-2227 (Web Link)" [ 18386 ]

            People

            • Assignee:
              oleg_nenashev Oleg Nenashev
              Reporter:
              oleg_nenashev Oleg Nenashev
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: