[JIRA] [core] (JENKINS-31850) Tool installer metadata signatuire validation failure on Java 1.8 build 65+

stephenconnolly@java.net (JIRA)

unread,

Dec 2, 2015, 6:32:02 AM12/2/15

to jenkinsc...@googlegroups.com

stephenconnolly created an issue

Jenkins /

JENKINS-31850

Tool installer metadata signatuire validation failure on Java 1.8 build 65+

Issue Type:	Bug
Assignee:	Unassigned
Attachments:	check-failure.png
Components:	core
Created:	02/Dec/15 11:31 AM
Priority:	Major
Reporter:	stephenconnolly

Run the following groovy script in the script console.

 
                                                    for (d in DownloadService.Downloadable.all()) {
  println("${d.url} -> ${d.updateNow().kind}");
}

On Jenkins running on Java 8 build 60 or earlier you will get the following output:

 
                                                    http://updates.jenkins-ci.org/updates/hudson.tasks.Maven.MavenInstaller.json -> OK
http://updates.jenkins-ci.org/updates/hudson.tasks.Ant.AntInstaller.json -> OK
http://updates.jenkins-ci.org/updates/hudson.tools.JDKInstaller.json -> OK

On Java 8 build 65 or newer you will get

 
                                                    http://updates.jenkins-ci.org/updates/hudson.tasks.Maven.MavenInstaller.json -> ERROR
http://updates.jenkins-ci.org/updates/hudson.tasks.Ant.AntInstaller.json -> ERROR
http://updates.jenkins-ci.org/updates/hudson.tools.JDKInstaller.json -> ERROR

If you use the Jenkins » Manage Jenkins » Manage Plugins » Check Now functionality you will get the following screen

The stack trace is (if you view source and do some xml reformatting) is:

 
                                                    java.security.cert.CertPathValidatorException: algorithm constraints check failed
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
	at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219)
	at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
	at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
	at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)
	at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:76)
	at hudson.model.DownloadService$Downloadable.load(DownloadService.java:370)
	at hudson.model.DownloadService$Downloadable.updateNow(DownloadService.java:385)
	at hudson.PluginManager.doCheckUpdatesServer(PluginManager.java:898)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
	at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:46)
	at org.kohsuke.stapler.Function$InterceptedFunction.invoke(Function.java:399)
	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
	at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:121)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
	at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:183)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
	at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132)
	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:123)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:49)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
	at org.eclipse.jetty.server.Server.handle(Server.java:370)
	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
	at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949)
	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011)
	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
 
                                                

Add Comment

This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)

dbeck@cloudbees.com (JIRA)

unread,

Dec 2, 2015, 6:41:01 AM12/2/15

to jenkinsc...@googlegroups.com

Daniel Beck commented on

JENKINS-31850

Re: Tool installer metadata signatuire validation failure on Java 1.8 build 65+

I've been (re)using JENKINS-31089 for this. Its fix is essentially incomplete, with KK only fixing the update site generation, but not the tools crawler.