You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fixesjenkins-infra/helpdesk#4055
Since get.jenkins.io already includes the SHA-256 checksum file for the
war file and it is copied to two destinations in this script, it seems
like a good place to copy the ASCII-armored PGP signatures for the war
at the same time.
The sha256 file shows that the file downloaded by the user is the same
file that was uploaded.
The asc file shows that the uploaded file was signed by the Jenkins PGP
signing key.
Confirmed that the 2.456 asc matches the war file with:
$ wget https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key
$ gpg --import jenkins.io-2023.key
$ wget https://get.jenkins.io/war/2.456/jenkins.war
$ wget https://repo.jenkins-ci.org/artifactory/releases/org/jenkins-ci/main/jenkins-war/2.456/jenkins-war-2.456.war.asc
$ mv jenkins-war-2.456.war.asc jenkins.war.asc
$ gpg --verify jenkins.war.asc
Confirmed that the script changes worked as expected with the following
commands:
MY_WORKDIR=$(mktemp -d)
echo My work directory is $MY_WORKDIR
AGENT_WORKDIR=${MY_WORKDIR}/agent-workdir
SRCDIR=${MY_WORKDIR}/src-dir
WARDIR=${MY_WORKDIR}/dest-war-dir
WAR_WEBDIR=${MY_WORKDIR}/dest-war-webdir
export AGENT_WORKDIR SRCDIR WARDIR WAR_WEBDIR
mkdir -p ${AGENT_WORKDIR} ${SRCDIR} ${WARDIR} ${WAR_WEBDIR}
ARTIFACTNAME=jenkins
BASE=$(pwd)
SSH_OPTS=
VERSION=2.456
WAR=${SRCDIR}/jenkins.war
WAR_SHASUM=${SRCDIR}/jenkins.war.sha256
export ARTIFACTNAME BASE VERSION SSH_OPTS WAR WAR_SHASUM
PKGSERVER=localhost
export PKGSERVER
(cd $SRCDIR && wget https://get.jenkins.io/war/${VERSION}/jenkins.war)
(cd $SRCDIR && wget https://get.jenkins.io/war/${VERSION}/jenkins.war.sha256)
(cd $SRCDIR && wget https://repo.jenkins-ci.org/artifactory/releases/org/jenkins-ci/main/jenkins-war/${VERSION}/jenkins-war-${VERSION}.war.asc && mv jenkins-war-${VERSION}.war.asc jenkins.war.asc)
echo "WARDIR contents before publish:" && ls ${WARDIR}
echo
bash -v war/publish/publish.sh
echo "WARDIR contents after publish:" && ls ${WARDIR}/
echo "WARDIR/VERSION contents after publish:" && ls ${WARDIR}/${VERSION}/
Service(s)
get.jenkins.io
Summary
Compare https://get.jenkins.io/war/2.449/ with https://repo.jenkins-ci.org/artifactory/releases/org/jenkins-ci/main/jenkins-war/2.449/ — the latter contains a
.war.asc
file with the GPG signature while the former does not. It would be useful to include the signature so that it could be fetched from https://github.com/jenkinsci/jenkins/blob/91c7724136bdfee0de0f81132c1bf5c04b2eb7ef/.github/workflows/publish-release-artifact.yml#L56-L73 and thus included in e.g. https://github.com/jenkinsci/jenkins/releases/tag/jenkins-2.454 to satisfy https://github.com/ossf/scorecard/blob/39b56e809b2245c2c63d591f38fa5e39d0c67bbc/docs/checks.md#signed-releases.Reproduction steps
No response
The text was updated successfully, but these errors were encountered: