Add .war.asc to get.jenkins.io
#4055
Comments
MarkEWaite
added a commit
to MarkEWaite/packaging
that referenced
this issue
Apr 30, 2024
Fixes jenkins-infra/helpdesk#4055 Since get.jenkins.io already includes the SHA-256 checksum file for the war file and it is copied to two destinations in this script, it seems like a good place to copy the ASCII-armored PGP signatures for the war at the same time. The sha256 file shows that the file downloaded by the user is the same file that was uploaded. The asc file shows that the uploaded file was signed by the Jenkins PGP signing key. Confirmed that the 2.456 asc matches the war file with: $ wget https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key $ gpg --import jenkins.io-2023.key $ wget https://get.jenkins.io/war/2.456/jenkins.war $ wget https://repo.jenkins-ci.org/artifactory/releases/org/jenkins-ci/main/jenkins-war/2.456/jenkins-war-2.456.war.asc $ mv jenkins-war-2.456.war.asc jenkins.war.asc $ gpg --verify jenkins.war.asc Confirmed that the script changes worked as expected with the following commands: MY_WORKDIR=$(mktemp -d) echo My work directory is $MY_WORKDIR AGENT_WORKDIR=${MY_WORKDIR}/agent-workdir SRCDIR=${MY_WORKDIR}/src-dir WARDIR=${MY_WORKDIR}/dest-war-dir WAR_WEBDIR=${MY_WORKDIR}/dest-war-webdir export AGENT_WORKDIR SRCDIR WARDIR WAR_WEBDIR mkdir -p ${AGENT_WORKDIR} ${SRCDIR} ${WARDIR} ${WAR_WEBDIR} ARTIFACTNAME=jenkins BASE=$(pwd) SSH_OPTS= VERSION=2.456 WAR=${SRCDIR}/jenkins.war WAR_SHASUM=${SRCDIR}/jenkins.war.sha256 export ARTIFACTNAME BASE VERSION SSH_OPTS WAR WAR_SHASUM PKGSERVER=localhost export PKGSERVER (cd $SRCDIR && wget https://get.jenkins.io/war/${VERSION}/jenkins.war) (cd $SRCDIR && wget https://get.jenkins.io/war/${VERSION}/jenkins.war.sha256) (cd $SRCDIR && wget https://repo.jenkins-ci.org/artifactory/releases/org/jenkins-ci/main/jenkins-war/${VERSION}/jenkins-war-${VERSION}.war.asc && mv jenkins-war-${VERSION}.war.asc jenkins.war.asc) echo "WARDIR contents before publish:" && ls ${WARDIR} echo bash -v war/publish/publish.sh echo "WARDIR contents after publish:" && ls ${WARDIR}/ echo "WARDIR/VERSION contents after publish:" && ls ${WARDIR}/${VERSION}/
dduportal
modified the milestones:
infra-team-sync-2024-05-07,
infra-team-sync-2024-05-14,
infra-team-sync-2024-05-21
dduportal
modified the milestones:
infra-team-sync-2024-05-21,
infra-team-sync-2024-05-28
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Service(s)
get.jenkins.io
Summary
Compare https://get.jenkins.io/war/2.449/ with https://repo.jenkins-ci.org/artifactory/releases/org/jenkins-ci/main/jenkins-war/2.449/ — the latter contains a
.war.ascfile with the GPG signature while the former does not. It would be useful to include the signature so that it could be fetched from https://github.com/jenkinsci/jenkins/blob/91c7724136bdfee0de0f81132c1bf5c04b2eb7ef/.github/workflows/publish-release-artifact.yml#L56-L73 and thus included in e.g. https://github.com/jenkinsci/jenkins/releases/tag/jenkins-2.454 to satisfy https://github.com/ossf/scorecard/blob/39b56e809b2245c2c63d591f38fa5e39d0c67bbc/docs/checks.md#signed-releases.Reproduction steps
No response
The text was updated successfully, but these errors were encountered: