[JIRA] (JENKINS-53288) Signature verification failed in update site 'default' (again)

133 views
Skip to first unread message

akostadinov@java.net (JIRA)

unread,
Aug 28, 2018, 8:27:01 AM8/28/18
to jenkinsc...@googlegroups.com
akostadinov created an issue
 
Jenkins / Bug JENKINS-53288
Signature verification failed in update site 'default' (again)
Issue Type: Bug Bug
Assignee: Unassigned
Components: update-sites-manager-plugin
Created: 2018-08-28 12:26
Priority: Critical Critical
Reporter: akostadinov

I have applied proposed fix from JENKINS-31089 and this is my line in `/usr/lib/jvm/java-openjdk/jre/lib/security/java.security`:

jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
    RSA keySize < 512, DSA keySize < 1024, EC keySize < 224

But still I'm seeing this in Jenkins 2.121.3 log:

Aug 28, 2018 3:20:15 PM hudson.model.UpdateSite updateData
SEVERE: ERROR: Signature verification failed in update site &#039;default&#039; <a href='#' class='showDetails'>(show details)</a><pre style='display:none'>java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: CN=Community Update Center, O=Jenkins Project, ST=California, C=US.<br>	at sun.security.util.DisabledAlgorithmConstraints$KeySizeConstraint.permits(DisabledAlgorithmConstraints.java:817)
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

akostadinov@java.net (JIRA)

unread,
Aug 28, 2018, 8:29:02 AM8/28/18
to jenkinsc...@googlegroups.com
akostadinov updated an issue
Change By: akostadinov
I have applied proposed fix from JENKINS-31089 and this is my line in `/usr/lib/jvm/java-openjdk/jre/lib/security/java.security`:
{code}

jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
    RSA keySize < 512, DSA keySize < 1024, EC keySize < 224
{code}


But still I'm seeing this in Jenkins 2.121.3 log:
{code}

Aug 28, 2018 3:20:15 PM hudson.model.UpdateSite updateData
SEVERE: ERROR: Signature verification failed in update site &#039;default&#039; <a href='#' class='showDetails'>(show details)</a><pre style='display:none'>java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: CN=Community Update Center, O=Jenkins Project, ST=California, C=US.<br> at sun.security.util.DisabledAlgorithmConstraints$KeySizeConstraint.permits(DisabledAlgorithmConstraints.java:817)
{code}

Java:
{code}
$ java -version
openjdk version "1.8.0_181"
OpenJDK Runtime Environment (build 1.8.0_181-b13)
OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)
{ java code }

akostadinov@java.net (JIRA)

unread,
Aug 28, 2018, 8:29:02 AM8/28/18
to jenkinsc...@googlegroups.com

akostadinov@java.net (JIRA)

unread,
Aug 28, 2018, 8:52:02 AM8/28/18
to jenkinsc...@googlegroups.com
akostadinov updated an issue
Change By: akostadinov
Attachment: java.security

akostadinov@java.net (JIRA)

unread,
Aug 28, 2018, 8:53:01 AM8/28/18
to jenkinsc...@googlegroups.com
akostadinov updated an issue
I have applied proposed fix from JENKINS-31089 and this is my line in `/usr/lib/jvm/java-openjdk/jre/lib/security/java.security`:
{code}
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
    RSA keySize < 512, DSA keySize < 1024, EC keySize < 224
{code}

But still I'm seeing this in Jenkins 2.121.3 log:
{code}
Aug 28, 2018 3:20:15 PM hudson.model.UpdateSite updateData
SEVERE: ERROR: Signature verification failed in update site &#039;default&#039; <a href='#' class='showDetails'>(show details)</a><pre style='display:none'>java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: CN=Community Update Center, O=Jenkins Project, ST=California, C=US.<br> at sun.security.util.DisabledAlgorithmConstraints$KeySizeConstraint.permits(DisabledAlgorithmConstraints.java:817)
{code}

Java:
{code}
$ java -version
openjdk version "1.8.0_181"
OpenJDK Runtime Environment (build 1.8.0_181-b13)
OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)
{code}
Attached `java.security` from Fedora 28, I can't spot any place where RSA 1024 is blocked.

akostadinov@java.net (JIRA)

unread,
Aug 28, 2018, 9:02:01 AM8/28/18
to jenkinsc...@googlegroups.com
akostadinov commented on Bug JENKINS-53288
 
Re: Signature verification failed in update site 'default' (again)

Ok, issue was INFRA-1659, in Fedora 28 there is an additional file `/etc/crypto-policies/back-ends/java.config` that overrides settings in `java.security` and it has `RSA keySize < 2048`. Setting this to `1024` resolved the issue. But it sounds like update center certificate is now time to be updated to 4096 bits.

akostadinov@java.net (JIRA)

unread,
Aug 28, 2018, 9:06:01 AM8/28/18
to jenkinsc...@googlegroups.com
akostadinov closed an issue as Duplicate
 
Change By: akostadinov
Status: Open Closed
Resolution: Duplicate
Reply all
Reply to author
Forward
0 new messages