KeyStoreExceptions (unrecognised algorithm) occurring on ci.jenkins.io
147 views
Skip to first unread message
Chris Kilding
Jun 15, 2021, 5:36:27 AM6/15/21
to jenkin...@googlegroups.com
Hi,
Recently I have seen the following error on ci.jenkins.io when building plugins that use cryptography features:
java.security.KeyStoreException: Key protection algorithm not found: java.security.UnrecoverableKeyException: Encrypt Private Key failed: unrecognized algorithm name: PBEWithSHA1AndDESede
The errors are temperamental and don't always show up. They also don't consistently occur with any particular JDK version.
Has something maybe changed about the JDK crypto features that are installed on the ci.jenkins.io build agents? I could make sense of this if, say, SHA1-based algorithms have recently been removed entirely from the JDK.
Chris
Recently I have seen the following error on ci.jenkins.io when building plugins that use cryptography features:
java.security.KeyStoreException: Key protection algorithm not found: java.security.UnrecoverableKeyException: Encrypt Private Key failed: unrecognized algorithm name: PBEWithSHA1AndDESede
The errors are temperamental and don't always show up. They also don't consistently occur with any particular JDK version.
Has something maybe changed about the JDK crypto features that are installed on the ci.jenkins.io build agents? I could make sense of this if, say, SHA1-based algorithms have recently been removed entirely from the JDK.
Chris
Mark Waite
Jun 15, 2021, 5:41:10 AM6/15/21
to jenkinsci-dev
The JDK version used for builds on ci.jenkins.io was updated recently from JDK 8u242 to JDK 8u292. The
PBEWithSHA1AndDESede algorithm has been removed from JDK 8u292 Based on https://bugs.openjdk.java.net/browse/JDK-8266261 it appears the removal was inadvertent and the algorithm will be added to the next Open JDK release, 8u302.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/6fbb6c63-7ef5-4c3e-828e-93446647bb17%40www.fastmail.com.
Chris Kilding
Jun 15, 2021, 10:10:27 AM6/15/21
to jenkin...@googlegroups.com
Hi Mark,
Thanks for confirming :) I'll wait on that next OpenJDK release then.
Chris
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFOsRJGgr-Cc84Rgcr8d4WRM72iqh2EH91pu0w-KeM7jQ%40mail.gmail.com.
Chris Kilding
Aug 3, 2021, 7:10:11 AM8/3/21
to jenkin...@googlegroups.com
It looks like JDK 8u302 was released in upstream OpenJDK on 20th July. I've opened an issue about this at the place where I *think* the JDK version is set for ci.jenkins.io: https://github.com/jenkins-infra/packer-images/issues/77
Chris
Tim Jacomb
Aug 3, 2021, 7:51:22 AM8/3/21
to jenkin...@googlegroups.com
I was looking at this yesterday in context of the docker images but they don’t appear to be published yet. Although I did find the binaries, they’ve moved to the adoptium project now
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/4460abbc-652c-4609-85ac-2194ad7d280c%40www.fastmail.com.
Mark Waite
Aug 3, 2021, 9:32:54 AM8/3/21
to jenkinsci-dev
Thanks!
The OpenJDK release was about a week ago. I've been running 11.0.12 and some 8u302 for about a week and have not detected any issues.
I see that AdoptOpenJDK has been released for Linux amd64, Windows amd64, and macOS. No 8u302 or 11.0.12 for Arm64, ppc64, or s390x yet.
The AdoptOopenJDK Docker images that we use as our Docker image base have not been updated yet. I assume that will happen over the course of the next week or two.
Mark Waite
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/4460abbc-652c-4609-85ac-2194ad7d280c%40www.fastmail.com.
Reply all
Reply to author
Forward
0 new messages