GPG signatures on http://repo.jenkins-ci.org/ incorrect?

[Steven Clark]

Hello all,

Is anyone else aware that the GPG signatures seem to be faulty on the repo? Or am I not verifying them correctly?

gpg --verify jenkins-war-1.651.1.war.asc jenkins-war-1.651.1.war
gpg: Signature made Thu 14 Apr 2016 01:05:31 AM EDT using DSA key ID D50582E6
gpg: BAD signature from "Kohsuke Kawaguchi <k...@kohsuke.org>"


The files seem ok according to the sha1 files as well.

cat jenkins-war-1.651.1.war.sha1
31fcae60edba2ecb6c380c59f374761723981283

sha1sum jenkins-war-1.651.1.war
31fcae60edba2ecb6c380c59f374761723981283  jenkins-war-1.651.1.war

cat jenkins-war-1.651.1.war.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEABECAAYFAlcPJRsACgkQm30y8tUFgubFegCeMp4oYrIZxbhKLMrzsFhEIxet
wfAAniNy42DycpcdSuuubZngegbJiCYp
=PVM5
-----END PGP SIGNATURE-----

cat jenkins-war-1.651.1.war.asc.sha1
5a3f4bf88da314079dfbc269f6ac0b359cc96938

sha1sum jenkins-war-1.651.1.war.asc
5a3f4bf88da314079dfbc269f6ac0b359cc96938  jenkins-war-1.651.1.war.asc

-Steven

[Daniel Beck]

> On 22.04.2016, at 17:02, Steven Clark <steven...@gmail.com> wrote:
>
> Is anyone else aware that the GPG signatures seem to be faulty on the repo? Or am I not verifying them correctly?

You're right. Something's wrong with KK's machine doing the signing (his local Maven repo is affected as well). I'm filing INFRA issues so we get this fixed.

Note that `jarsigner --verify` still works, so there's still a code integrity check you can do.

[Kohsuke Kawaguchi]

I figured out what was wrong. During the release process, GPG signing happened before jarsigner happened.

jarsigner inserts the signature into the war file, which changes the war. So the signature became invalid.

In 2.0 release, jarsigner somehow run before gpg, so it produced the correct signature.

I don't know how to force this ordering to Maven. I'll ask around.

[Steven Clark]

Great thanks for following up and letting me know about jarsigner as a workaround for now.

Regards,
-Steven