How to check the integrity of a jenkins.war download?

1,732 views
Skip to first unread message

Jens Wilke

unread,
Nov 10, 2015, 2:15:38 PM11/10/15
to Jenkins Users
Hi all,

I am just reviewing and upgrading our Jenkins CI setup. What I found very irritating:

1. there seems no download instruction for the war
2. there is no way to check the integrity of a downloaded war file

What I found:
war files are at http://mirrors.jenkins-ci.org/war/. It is accessilbe by https, but with no "official" certificate.

Again, this site is available via https, but with no "official" certificate.

Did I miss something? Isn't there a way to download and check the integrity of Jenkins?

Cheers,

Jens


Victor Martinez

unread,
Nov 10, 2015, 4:25:51 PM11/10/15
to Jenkins Users
Hi Jens,

 Have you tried to search in this Google group itself?  There are some old threads:

 You can find other similar threads if you search for "sha1" or "integrity" for instance.

 Besides of that, there is also another Jenkins group phocused on security:  https://groups.google.com/forum/#!forum/jenkinsci-advisories

 In case you've got some security concerns, I wonder whether you can use the rpm/debian/others installation which are based on gpg certificates:

 In addition to that, have you considered to compile/generate the war file from the source code? You can fork the jenkins repo (https://github.com/jenkinsci/jenkins) , checkout the tag "jenkins-1.XYZ" and 'mvn -Plight-test install' (https://wiki.jenkins-ci.org/display/JENKINS/Building+Jenkins)  then you can upload those generated files to your inhouse artifactory/nexus/filesystem central repo and use the md5sum hash validation. 

 Maybe someone else can provide further details about the https certificate.

I hope it helps

Cheers

Stephen Connolly

unread,
Nov 10, 2015, 5:25:00 PM11/10/15
to jenkins...@googlegroups.com

$ jarsigner -verbose -certs -verify jenkins.war


That should give a Jar file that has been signed by 

X.509, CN=Kohsuke Kawaguchi, O=Kohsuke Kawaguchi, STREET=4438 Hilton Ave, L=San Jose, ST=California, OID.2.5.4.17=95130, C=US

      [certificate expired on 19/07/15 00:59]

      X.509, CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB

      [certificate is valid from 24/08/11 01:00 to 30/05/20 11:48]

      X.509, CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

      [certificate is valid from 07/06/05 09:09 to 30/05/20 11:48]


or


      X.509, CN=Infradna Inc (Kohsuke Kawaguchi), O=Infradna Inc (Kohsuke Kawaguchi), STREET=4438 Hilton Ave, L=San Jose, ST=California, OID.2.5.4.17=95130, C=US

      [certificate is valid from 23/07/15 01:00 to 23/07/20 00:59]

      X.509, CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB

      [certificate is valid from 09/05/13 01:00 to 09/05/28 00:59]

      X.509, CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB

      [certificate is valid from 30/05/00 11:48 to 30/05/20 11:48]

      X.509, CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

      [certificate is valid from 30/05/00 11:48 to 30/05/20 11:48]


HTH

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/eb477328-2acd-4bba-99b1-12fa10bae970%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jens Wilke

unread,
Nov 12, 2015, 12:21:30 PM11/12/15
to Jenkins Users
On Tuesday, November 10, 2015 at 2:25:00 PM UTC-8, Stephen Connolly wrote:

$ jarsigner -verbose -certs -verify jenkins.war


Thanks Stephen!
Reply all
Reply to author
Forward
0 new messages