UpdateSites Manager plugin fails with Jenkins 1.596.1+

[Rafael Ribeiro Rezende]

Hello,

Since the Jenkins LTS 1.596.1 I'm having the following issue when using UpdateSites Manager plugin:

SEVERE: ERROR: Signature verification failed in update site &#039;biouno-update-center&#039; <a href='#' class='showDetails'>(show details)</a><pre style='display:none'>java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
      at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:208)
      at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
      at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)
      at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:76)
      at hudson.model.UpdateSite.verifySignature(UpdateSite.java:227)
      at hudson.model.UpdateSite.updateData(UpdateSite.java:206)
      at hudson.model.UpdateSite.updateDirectlyNow(UpdateSite.java:178)
      at hudson.PluginManager.doCheckUpdatesServer(PluginManager.java:890)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...

The core of this plugin is the ManagedUpdateSite.java, that extends hudson.model.UpdateSite.

Until the version 1.596, the (@Override) doPostBack(...) method of this class was getting properly invoked during a "check update" event (Check Now button). Under the hood (and few methods below...), it was generating a file from the CA Certificate provided via UI.

From 1.596.1 and on, this method is no longer invoked. So, the only way to check the update from my custom update site is by manually placing the certificate file in the $JENKINS_ROOT/update-center-rootCAs/ folder.

The plugin itself did not change since 2013. There were some changes in the Jenkins core to handle these security things, but I was not yet able to understand how it affected the UpdateSites Manager...

My first question would be: is this a bug in the Jenkins core or the UpdateSites plugin should comply with the latest changes from the 1.596.1+?

[Daniel Beck]

On 12.05.2015, at 23:40, Rafael Ribeiro Rezende <rafael...@gmail.com> wrote:

> My first question would be: is this a bug in the Jenkins core or the UpdateSites plugin should comply with the latest changes from the 1.596.1+?

There's been a second code path for a while that doesn't use the postBack from the user's browser, but checks the update center from the server. It used to be a general option, for security reasons it was made the default a few releases back.