[JIRA] [core] (JENKINS-31089) Signature verification failed in update site 'default'

603 views
Skip to first unread message

kalbright@cakewalk.com (JIRA)

unread,
Oct 21, 2015, 3:11:01 PM10/21/15
to jenkinsc...@googlegroups.com
Keith Albright created an issue
 
Jenkins / Bug JENKINS-31089
Signature verification failed in update site 'default'
Issue Type: Bug Bug
Assignee: Unassigned
Components: core
Created: 21/Oct/15 7:10 PM
Environment: Mac OS X El Capitan 10.11
Safari or Chrome or Firefox
Jenkins 1.631
Priority: Blocker Blocker
Reporter: Keith Albright

Installed pkg for OS X.
Nothing worked.
Found out from another page that JDK needs to be installed.
Installed JDK by going to the link via java in terminal.
reported java version is 1.8.0_66-b17
Had to run the uninstall.command in /Library/Application\ Support/Jenkins.
Then ran install again and got localhost:8080 showing the Jenkins page.
Went to Manage Jenkins and then Manage Plugins. Plugins list is blank!
Went to advanced clicked refresh and got the error noted above.
Clicking (show details) does nothing.
Update site is set to:
http://updates.jenkins-ci.org/update-center.json
Tried other mirrors with no difference in behavior.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
Atlassian logo

mailtoarlo@gmail.com (JIRA)

unread,
Oct 22, 2015, 2:25:01 AM10/22/15
to jenkinsc...@googlegroups.com
Arlo Louis O'Keeffe commented on Bug JENKINS-31089
 
Re: Signature verification failed in update site 'default'

Seeing the same issue with Oracle JDK 1.8.0_66-b17 but on openSUSE 13.1. Rolling back to 1.8.0_60 fixes the issue.

The message I see is similar to https://issues.jenkins-ci.org/browse/JENKINS-30739.

dbeck@cloudbees.com (JIRA)

unread,
Oct 22, 2015, 6:39:01 PM10/22/15
to jenkinsc...@googlegroups.com

I wonder whether this in the patch notes is related:

MD5 must not be used for digital signatures where collision resistance is required. In order to prevent the usage of MD5 as digital signature algorithm during X.509 certificate operations, MD5 is added to jdk.certpath.disabledAlgorithms security property. For those applications that still using MD5 signed certificate, please upgrade the weak certificate as soon as possible.

Unfortunately it doesn't look like we have an MD5 cert…

Could you tell me the contents of the file jre/lib/security/java.security (should be /Library/Java/JavaVirtualMachines/jdk1.8.0_XX.jdk/Contents/Home/jre/lib/security/java.security on OS X), specifically the entries jdk.certpath.disabledAlgorithms and jdk.tls.disabledAlgorithms?

Could you try to change this property to see whether it works then by removing one of the values?

mailtoarlo@gmail.com (JIRA)

unread,
Oct 23, 2015, 3:02:02 AM10/23/15
to jenkinsc...@googlegroups.com

The properties were not changed in java.security: https://gist.github.com/ArloL/69d40f1fd21cf1749986

But when I add MD5 to jdk.certpath.disabledAlgorithms in 8u60 then I get the same error message.

Signature verification failed in update site 'default' (show details)

with the log containing these entries: https://gist.github.com/ArloL/ba77b0d4208c7fea1a4e

comsamo84@gmail.com (JIRA)

unread,
Oct 23, 2015, 3:19:01 AM10/23/15
to jenkinsc...@googlegroups.com

same on me. Cetos. jsk1.8.0_65

comsamo84@gmail.com (JIRA)

unread,
Oct 23, 2015, 3:20:02 AM10/23/15
to jenkinsc...@googlegroups.com
JK raccoons edited a comment on Bug JENKINS-31089
same on me.  Cetos  Centos . jsk1.8.0_65

kalbright@cakewalk.com (JIRA)

unread,
Oct 23, 2015, 9:31:01 AM10/23/15
to jenkinsc...@googlegroups.com

The data I have is this:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

I tried adding MD5 to the exclusion list for tls, restarted but no change. Did same for certpath, again no change.

dbeck@cloudbees.com (JIRA)

unread,
Oct 23, 2015, 10:27:30 AM10/23/15
to jenkinsc...@googlegroups.com

Try removing one of or both of the RSA/DH keySize < N entries. This is the list of what's prohibited, after all (so it can't get better when adding to it).

dbeck@cloudbees.com (JIRA)

unread,
Oct 23, 2015, 10:39:01 AM10/23/15
to jenkinsc...@googlegroups.com

I tried it myself, and the workaround is to remove , RSA keySize < 1024 from the value of jdk.certpath.disabledAlgorithms in the aforementioned file.

We're still investigating the cause of this and are looking for a real solution.

dbeck@cloudbees.com (JIRA)

unread,
Oct 23, 2015, 11:05:01 AM10/23/15
to jenkinsc...@googlegroups.com

Another option is to disable the signature check for the update site metadata downloaded by Jenkins, by setting the system property hudson.model.DownloadService.noSignatureCheck to true, but of course that's a stupid idea in general since it breaks trust in the data you download.

kalbright@cakewalk.com (JIRA)

unread,
Oct 23, 2015, 11:27:01 AM10/23/15
to jenkinsc...@googlegroups.com

Rather than removing that option entirely, it seems to work if I change it to , RSA keySize < 512

dbeck@cloudbees.com (JIRA)

unread,
Oct 23, 2015, 7:34:01 PM10/23/15
to jenkinsc...@googlegroups.com

KK fixed the key used to sign the update site metadata, and we're currently regenerating the files. Expect this to start working again in a few hours.

Please confirm whether this works ~12 hours from now so we can resolve this.

kk@kohsuke.org (JIRA)

unread,
Oct 23, 2015, 7:36:05 PM10/23/15
to jenkinsc...@googlegroups.com
Kohsuke Kawaguchi resolved as Fixed
 
Change By: Kohsuke Kawaguchi
Status: Open Resolved
Assignee: Kohsuke Kawaguchi
Resolution: Fixed

kk@kohsuke.org (JIRA)

unread,
Oct 23, 2015, 7:36:06 PM10/23/15
to jenkinsc...@googlegroups.com
Kohsuke Kawaguchi commented on Bug JENKINS-31089
 
Re: Signature verification failed in update site 'default'

I think this is caused by the fact that we've used 512-bit RSA key to sign our update center metadata. This low bit key was chosen back then to live within the JRE key length limitation imposed by the export control.

I cannot find the record, but I believe back then we had 1024bit key limit. Daniel Beck thinks the current JVMs do not have any limitation, and there are documents that seem to back that up, but I'm too lazy to find out exactly when the policy has changed, so I'm sticking with 1024bit key for now.

https://ci.jenkins-ci.org/view/Infrastructure/job/infra_update_center_v3/2083/ uses a new key. This change should not have any user visible impact.

mike@caspar.com (JIRA)

unread,
Oct 24, 2015, 9:36:03 AM10/24/15
to jenkinsc...@googlegroups.com

Hi there,

I saw no change so I thought.. OK.. maybe it's caching of some sort. Let's restart my server.

Much better progress. The initial signature error is gone and doesn't show any exceptions in the logs.

That first message has gone away to now be replaced by a new one.... (1.634,java 1.8.0_66-b17, ubuntu 14.04).

Strangely, there is no error in the jenkins.log.

I get the following in the jenkins.log

Oct 24, 2015 9:32:43 AM hudson.model.UpdateSite updateData
INFO: Obtained the latest update center data file for UpdateSource default

followed by the following in the web interface...

at /pluginManager/checkUpdatesServer
Signature verification failed in downloadable 'hudson.tasks.Maven.MavenInstaller' (show details)

Would you like me to open a ticket somewhere or just consider this message to be sufficient ? (which module if so).

Not sure.. same (related) problem or different one?

Thanks

mike@caspar.com (JIRA)

unread,
Oct 24, 2015, 10:09:04 AM10/24/15
to jenkinsc...@googlegroups.com
Mike Caspar edited a comment on Bug JENKINS-31089
Hi there,

I saw no change so I thought.. OK.. maybe it's caching of some sort. Let's restart my server. 

Much better progress.  The initial signature error is gone and doesn't show any exceptions in the logs  for the original problem . . However, 

That first message has gone away to now be replaced by a new one.... (1.634,java 1.8.0_66-b17, ubuntu 14.04).

Strangely, there is no *error* in the jenkins.log. 


I get the following in the jenkins.log

Oct 24, 2015 9:32:43 AM hudson.model.UpdateSite updateData
INFO: Obtained the latest update center data file for UpdateSource default

followed by the following in the web interface...

at /pluginManager/checkUpdatesServer
*Signature verification failed in downloadable 'hudson.tasks.Maven.MavenInstaller' (show details)*


Would you like me to open a ticket somewhere or just consider this message to be sufficient ? (which module if so).  

Not sure.. same (related) problem or different one?

Thanks






dbeck@cloudbees.com (JIRA)

unread,
Oct 24, 2015, 11:49:03 AM10/24/15
to jenkinsc...@googlegroups.com
Daniel Beck reopened an issue
 

Different but related issue, as the tool installer metadata is generated by a different process.

Reusing this issue for this problem. Looks like Kohsuke Kawaguchi needs to provide new secrets to the infra_backend_crawler project.
Change By: Daniel Beck
Resolution: Fixed
Status: Resolved Reopened

florian.koch1981@gmail.com (JIRA)

unread,
Oct 26, 2015, 3:01:02 PM10/26/15
to jenkinsc...@googlegroups.com
Florian Koch commented on Bug JENKINS-31089
 
Re: Signature verification failed in update site 'default'

the issue "Signature verification failed in downloadable 'hudson.tasks.Maven.MavenInstaller' (show details)" is not gone....

any News on this?

kalbright@cakewalk.com (JIRA)

unread,
Oct 26, 2015, 3:10:04 PM10/26/15
to jenkinsc...@googlegroups.com

For now, use the workaround by changing the Java security
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

to
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 512

jre/lib/security/java.security (should be /Library/Java/JavaVirtualMachines/jdk1.8.0_XX.jdk/Contents/Home/jre/lib/security/java.security on OS X),

jared.skinner@soundconcepts.com (JIRA)

unread,
Oct 27, 2015, 5:51:03 PM10/27/15
to jenkinsc...@googlegroups.com

I'm still having a problem with the original issue for this thread. On a fresh install of Jenkins Version 1.635 java version "1.7.0_79" when I try to do a manual update it give me the "Signature verification failed in update site 'default' (show details)" error.

Jenkins log shows:

SEVERE: ERROR: Signature verification failed in update site 'default' <a href='#' class='showDetails'>(show details)</a><pre style='display:none'>java.security.cert.CertPathValidatorException: timestamp check failed<br> at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:159)<br> at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:353)<br> at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)<br> at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)<br> at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)<br> at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:76)<br> at hudson.model.UpdateSite.verifySignature(UpdateSite.java:219)<br> at hudson.model.UpdateSite.updateData(UpdateSite.java:198)<br> at hudson.model.UpdateSite.updateDirectlyNow(UpdateSite.java:170)<br> at hudson.PluginManager.doCheckUpdatesServer(PluginManager.java:956)<br>

If I try to refresh the url http://172.16.25.157:8081/pluginManager/checkUpdatesServer
I get the error: POST is required for hudson.PluginManager.doCheckUpdatesServer

jared.skinner@soundconcepts.com (JIRA)

unread,
Oct 27, 2015, 5:51:05 PM10/27/15
to jenkinsc...@googlegroups.com
Jared skinne edited a comment on Bug JENKINS-31089
I'm still having a problem with the original issue for this thread. On a fresh install of Jenkins Version 1.635 java version "1.7.0_79" when I try to do a manual update it  give  gives  me the "Signature verification failed in update site 'default' (show details)" error.

Jenkins log shows:

SEVERE: ERROR: Signature verification failed in update site &#039;default&#039; <a href='#' class='showDetails'>(show details)</a><pre style='display:none'>java.security.cert.CertPathValidatorException: timestamp check failed<br> at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:159)<br> at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:353)<br> at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)<br> at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)<br> at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)<br> at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:76)<br> at hudson.model.UpdateSite.verifySignature(UpdateSite.java:219)<br> at hudson.model.UpdateSite.updateData(UpdateSite.java:198)<br> at hudson.model.UpdateSite.updateDirectlyNow(UpdateSite.java:170)<br> at hudson.PluginManager.doCheckUpdatesServer(PluginManager.java:956)<br>



If I try to refresh the url http://172.16.25.157:8081/pluginManager/checkUpdatesServer
I get the error:  POST is required for hudson.PluginManager.doCheckUpdatesServer

jared.skinner@soundconcepts.com (JIRA)

unread,
Oct 27, 2015, 5:51:07 PM10/27/15
to jenkinsc...@googlegroups.com
Jared skinne edited a comment on Bug JENKINS-31089
I'm still having a problem with the original issue for this thread. On a fresh install of Jenkins Version 1.635 java version "1.7.0_79" when I try to do a manual update it gives me the "Signature verification failed in update site 'default' (show details)" error.

Jenkins .  log shows:


SEVERE: ERROR: Signature verification failed in update site &#039;default&#039; <a href='#' class='showDetails'>(show details)</a><pre style='display:none'>java.security.cert.CertPathValidatorException: timestamp check failed<br> at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:159)<br> at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:353)<br> at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)<br> at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)<br> at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)<br> at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:76)<br> at hudson.model.UpdateSite.verifySignature(UpdateSite.java:219)<br> at hudson.model.UpdateSite.updateData(UpdateSite.java:198)<br> at hudson.model.UpdateSite.updateDirectlyNow(UpdateSite.java:170)<br> at hudson.PluginManager.doCheckUpdatesServer(PluginManager.java:956)<br>


If I try to refresh the url http://172.16.25.157:8081/pluginManager/checkUpdatesServer
I get the error:  POST is required for hudson.PluginManager.doCheckUpdatesServer

jared.skinner@soundconcepts.com (JIRA)

unread,
Oct 27, 2015, 5:56:01 PM10/27/15
to jenkinsc...@googlegroups.com

Sorry disregard my post, the timezone wasn't configured properly for the server I installed it on which caused with the update.

jared.skinner@soundconcepts.com (JIRA)

unread,
Oct 27, 2015, 5:57:02 PM10/27/15
to jenkinsc...@googlegroups.com
Jared skinner edited a comment on Bug JENKINS-31089
Sorry disregard my post, the timezone wasn't configured properly for the server I installed it on which caused  problems  with the update.

crosson.david@gmail.com (JIRA)

unread,
Nov 17, 2015, 11:39:09 AM11/17/15
to jenkinsc...@googlegroups.com

Thanks, the temporary fix on java.security works well, I've just released a [small image extension](https://hub.docker.com/r/dacr/jenkins-extended/) with it and now the issue is gone

brian.b.long@gmail.com (JIRA)

unread,
Nov 18, 2015, 11:54:02 AM11/18/15
to jenkinsc...@googlegroups.com
Brian L commented on Bug JENKINS-31089

Just adding that this also affects Ubuntu 14.04.3 LTS, running the JRE 1.8.0_65-b17 and Jenkins 1.635 . The machine was configured using [Bitnami's AMI](https://aws.amazon.com/marketplace/pp/B00NNZUF3Q), but that shouldn't matter.

Replacing `jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024` with `jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 512` in the file `$JRE_HOME//lib/securityjava.security` has resolved this for me as well.

brian.b.long@gmail.com (JIRA)

unread,
Nov 18, 2015, 11:56:02 AM11/18/15
to jenkinsc...@googlegroups.com
Brian L edited a comment on Bug JENKINS-31089
Just adding that this also affects Ubuntu 14.04.3 LTS, running the JRE 1.8.0_65-b17 and Jenkins 1.635 .   The machine was configured using [Bitnami's AMI](https://aws.amazon.com/marketplace/pp/B00NNZUF3Q), but that shouldn't matter.    

Replacing  `  {{ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ` }}  with  `  {{ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 512 ` }}  in the file  `  {{ $JRE_HOME/ / lib/securityjava.security ` }}  has resolved this for me as well.

tyler@monkeypox.org (JIRA)

unread,
Nov 30, 2015, 3:07:02 PM11/30/15
to jenkinsc...@googlegroups.com
R. Tyler Croy assigned an issue to R. Tyler Croy
 
Change By: R. Tyler Croy
Assignee: Kohsuke Kawaguchi R. Tyler Croy

tyler@monkeypox.org (JIRA)

unread,
Nov 30, 2015, 3:23:04 PM11/30/15
to jenkinsc...@googlegroups.com
R. Tyler Croy updated an issue
Change By: R. Tyler Croy
Labels: community-bee

mike@caspar.com (JIRA)

unread,
Nov 30, 2015, 4:26:02 PM11/30/15
to jenkinsc...@googlegroups.com
Mike Caspar commented on Bug JENKINS-31089
 
Re: Signature verification failed in update site 'default'

Hi there,

For me, I find that if I just ignore the error, I can see the new modules (updates) by just going back to the root url.

I personally don't feel comfortable going in and forcing a lower encryption level when a key rey-gen could apparently fix this.. This will complicate java upgrades, docker containers of jenkins servers, potentially puppet and chef builds of servers, etc.

More importantly, I don't see that there will be an easy way to know when to "unhack" the setting, leaving the lower level of key setting potentially forever. I can't imagine going in and playing with the setting after every Jenkins version upgrade.

It's awesome for those that need workarounds right now, but please remember, you'll need a way to remember to set it back some day in the future.

Maybe it's no big deal, but I think I'm being responsible to ask this question at least once?

radek.antoniuk@quiddia.com (JIRA)

unread,
Nov 30, 2015, 4:35:01 PM11/30/15
to jenkinsc...@googlegroups.com

Making a workaround in a docker image for jenkins image and reverting in back in the next "tag" is as easy as anything in docker.
Anyway, I think this is a critical issue for Jenkins users.
I would love to help to investigate, but given Kohsuke Kawaguchi comment, it will be probably hard to reproduce "outside" with totally different certs and infra.

dbeck@cloudbees.com (JIRA)

unread,
Nov 30, 2015, 4:54:02 PM11/30/15
to jenkinsc...@googlegroups.com

For me, I find that if I just ignore the error, I can see the new modules (updates) by just going back to the root url.

The update site itself has been fixed a month or so ago. Now the problem is with the tool metadata for when you select a version of a tool like Maven or Ant to be downloaded. So unless you expect to use recent versions of any auto-installed tools, you won't be affected (other than the error message).

jglick@cloudbees.com (JIRA)

unread,
Dec 2, 2015, 9:09:09 AM12/2/15
to jenkinsc...@googlegroups.com

unless you expect to use recent versions of any auto-installed tools, you won't be affected

But users of new installations without cached tool metadata would also be affected, right?

methodgr4b@gmail.com (JIRA)

unread,
Dec 3, 2015, 7:51:05 AM12/3/15
to jenkinsc...@googlegroups.com

But users of new installations without cached tool metadata would also be affected, right?

Correct!
On a clean install I had to apply the 1024 -> 512 fix so that the NodeJS plugin could find the nodejs.org installers (JENKINS-31485).

radek.antoniuk@quiddia.com (JIRA)

unread,
Dec 3, 2015, 8:40:03 AM12/3/15
to jenkinsc...@googlegroups.com

So as I understand i.e. for a docker-spawned fresh instances this problem still exists.
Daniel, could you give some insights on the "fix" that was applied and/or why this still happens for fresh installs?

dbeck@cloudbees.com (JIRA)

unread,
Dec 3, 2015, 9:19:01 AM12/3/15
to jenkinsc...@googlegroups.com

Radek Antoniuk Please review my previous comments.

radek.antoniuk@quiddia.com (JIRA)

unread,
Dec 3, 2015, 9:30:01 AM12/3/15
to jenkinsc...@googlegroups.com

Thanks
I remember the previous comments about the the workaround, I just wanted to understand why the workaround doesn't work for tool metadata?

dbeck@cloudbees.com (JIRA)

unread,
Dec 3, 2015, 9:58:05 AM12/3/15
to jenkinsc...@googlegroups.com

Radek Antoniuk I don't understand your comment.

The workaround of only requiring 512 bit keys should work for everything. See the comment by Method Grab for confirmation.

The fix of actually having a longer key was however only applied to the update site metadata (i.e. plugins and core updates), but not to the tools metadata – which is why the latter still fails to update/download unless you apply the workaround.

radek.antoniuk@quiddia.com (JIRA)

unread,
Dec 3, 2015, 10:05:08 AM12/3/15
to jenkinsc...@googlegroups.com

Your last sentence answers exactly my question and explains why this is still an issue, thanks!

dbeck@cloudbees.com (JIRA)

unread,
Dec 3, 2015, 10:19:02 AM12/3/15
to jenkinsc...@googlegroups.com

Radek Antoniuk Was supposed to be explained in this comment I linked to earlier.

radek.antoniuk@quiddia.com (JIRA)

unread,
Dec 3, 2015, 10:22:03 AM12/3/15
to jenkinsc...@googlegroups.com

Right, sorry, I missed the second word linked of your comment. Anyway I am sure that will help others also to see this at glance now!

kk@kohsuke.org (JIRA)

unread,
Dec 9, 2015, 12:05:19 PM12/9/15
to jenkinsc...@googlegroups.com

New signature is verified on tool metadata.

kk@kohsuke.org (JIRA)

unread,
Dec 9, 2015, 12:05:23 PM12/9/15
to jenkinsc...@googlegroups.com
Kohsuke Kawaguchi resolved as Fixed
 
Change By: Kohsuke Kawaguchi
Status: Reopened Resolved
Resolution: Fixed

rhayman@visi.com (JIRA)

unread,
Jan 22, 2016, 9:44:26 AM1/22/16
to jenkinsc...@googlegroups.com
r hayman commented on Bug JENKINS-31089
 
Re: Signature verification failed in update site 'default'

Adding data in the event others search for this error and find this thread.

I did a fresh install yesterday (2016.01.21):
Mac OS X Yosemite 10.10.5
Java: jdk-8u71-macosx-x64.dmg
Jenkins: jenkins-1.644.pkg
The above versions still exhibit the Signature verification failed message.
Setting java.security line 509 to "jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 512" still exhibits this error.
My fix was to temporarily remove “MD5,” from line 509 of java.security

$ pwd
/Library/Java/JavaVirtualMachines/jdk1.8.0_71.jdk/Contents/Home/jre/lib/security
$ diff java.security java.security.orig
509c509
< jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

> jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

A previous fresh install on a different machine using
Mac OS X El Capitain 10.11.2
Java: jdk-8u66-macosx-x64.dmg
Jenkins: jenkins-1.635.pkg
Did not exhibit this issue, line 509 of java.security included "jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024”

jiri.tyr@gmail.com (JIRA)

unread,
Jan 27, 2016, 7:09:13 AM1/27/16
to jenkinsc...@googlegroups.com
Jiri Tyr reopened an issue
 

I believe this issue should not be marked as resolved because the change of the Java security file is only a workaround. Clean installation of the latest stable Jenkins server still requires to change the Java security file. Is there a proper fix on Jenkins side for this issue?
Change By: Jiri Tyr
Resolution: Fixed
Status: Resolved Reopened

dbeck@cloudbees.com (JIRA)

unread,
Jan 27, 2016, 7:19:04 AM1/27/16
to jenkinsc...@googlegroups.com
Daniel Beck resolved as Fixed
 

This issue was definitely fixed, but Java updates keep changing the rules, thereby moving the goalposts.
Change By: Daniel Beck
Status: Reopened Resolved
Resolution: Fixed

jiri.tyr@gmail.com (JIRA)

unread,
Jan 27, 2016, 7:48:10 AM1/27/16
to jenkinsc...@googlegroups.com
Jiri Tyr commented on Bug JENKINS-31089
 
Re: Signature verification failed in update site 'default'

Well, I think that the proper fix would be to change the MD5 cryptographic hash algorithm to something else because MD5 is no longer considered secure. Can we expect this to happen any time soon?

dbeck@cloudbees.com (JIRA)

unread,
Jan 27, 2016, 8:13:08 AM1/27/16
to jenkinsc...@googlegroups.com

proper fix would be to change the MD5 cryptographic hash algorithm to something else

Definitely happening soon(ish), it's just that everyone with the necessary access to the secrets is traveling right now for FOSDEM this weekend (where I will continue to harass them about this).

I'm just saying this is a new issue, affecting a different version of Java, with a different problem (MD5 algorithm rather than RSA key size), and therefore should be tracked separately.

jiri.tyr@gmail.com (JIRA)

unread,
Jan 27, 2016, 8:25:03 AM1/27/16
to jenkinsc...@googlegroups.com
Jiri Tyr commented on Bug JENKINS-31089

Is there a ticket about the change of the cryptographic hash algorithm? If not, could you please create one? If yes, could you please link it to this ticket?

Please let me know if you need more people to convince the team about the importance of this change and I can join your discussion in Brussels this weekend ;o)

dbeck@cloudbees.com (JIRA)

unread,
Jan 27, 2016, 8:47:02 AM1/27/16
to jenkinsc...@googlegroups.com

I filed INFRA-553 for this, as its not an issue in Jenkins itself.

Jiri Tyr Come say hi at http://www.meetup.com/jenkinsmeetup/events/227464036/

patxi.gortazar@gmail.com (JIRA)

unread,
May 2, 2016, 10:31:04 AM5/2/16
to jenkinsc...@googlegroups.com

I've been faced with this issue when installing Jenkins 2.1. Proposed solutions on this ticket didn't work for me. I've had to edit /etc/default/jenkins and add the following to JAVA_ARGS:

-Dhudson.model.DownloadService.noSignatureCheck=true

I'm not sure if this is considered a different bug.

Environment:

Ubuntu 14.04
OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-0ubuntu4~14.04-b14)
Jenkins 2.1

dbeck@cloudbees.com (JIRA)

unread,
May 2, 2016, 10:37:01 AM5/2/16
to jenkinsc...@googlegroups.com

Patxi Gortázar Please file a new bug, and provide more information (relevant jenkins.log excerpts, full error messages, etc.)

patxi.gortazar@gmail.com (JIRA)

unread,
May 3, 2016, 5:06:06 AM5/3/16
to jenkinsc...@googlegroups.com

Daniel Beck I've been trying to reproduce this issue on a fresh new Ubuntu 14.04.3, 14.04.4 and 16.04 and was unable to reproduce it. It may be something specific with our machine. Furthermore, no references arise from a google search. I think it is caused by something on our side. Do you still want to file a new bug?

patxi.gortazar@gmail.com (JIRA)

unread,
May 3, 2016, 5:06:09 AM5/3/16
to jenkinsc...@googlegroups.com
Patxi Gortázar edited a comment on Bug JENKINS-31089
[~danielbeck] I've been trying to reproduce this issue on a fresh new Ubuntu 14.04.3, 14.04.4 and 16.04 and was unable to reproduce it. It may be something specific with our machine. Furthermore, no references arise from a google search. I think it is caused by something on our side. Do you still want  me  to file a new  bug? 

dbeck@cloudbees.com (JIRA)

unread,
May 3, 2016, 7:11:03 AM5/3/16
to jenkinsc...@googlegroups.com

Do you still want me to file a new bug?

No. Without more information this will not be helpful.

akostadinov@java.net (JIRA)

unread,
Aug 28, 2018, 8:28:04 AM8/28/18
to jenkinsc...@googlegroups.com

Filed JENKINS-53288 for signature verification check I see with 2.121.3 and a clean install (after applying the RSA 512 fix).
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

dbeck@cloudbees.com (JIRA)

unread,
Oct 8, 2018, 2:46:02 AM10/8/18
to jenkinsc...@googlegroups.com

FYI we fixed JENKINS-53710 in Jenkins 2.145 that addressed a possible regression related to signature verification in Jenkins 2.130. While we observed the problem only on Java 11, it's possible for it to also occur on Java 8.
Reply all
Reply to author
Forward
0 new messages