Copy PGP signature to get.jenkins.io #462
Conversation
Fixes jenkins-infra/helpdesk#4055 Since get.jenkins.io already includes the SHA-256 checksum file for the war file and it is copied to two destinations in this script, it seems like a good place to copy the ASCII-armored PGP signatures for the war at the same time. The sha256 file shows that the file downloaded by the user is the same file that was uploaded. The asc file shows that the uploaded file was signed by the Jenkins PGP signing key. Confirmed that the 2.456 asc matches the war file with: $ wget https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key $ gpg --import jenkins.io-2023.key $ wget https://get.jenkins.io/war/2.456/jenkins.war $ wget https://repo.jenkins-ci.org/artifactory/releases/org/jenkins-ci/main/jenkins-war/2.456/jenkins-war-2.456.war.asc $ mv jenkins-war-2.456.war.asc jenkins.war.asc $ gpg --verify jenkins.war.asc Confirmed that the script changes worked as expected with the following commands: MY_WORKDIR=$(mktemp -d) echo My work directory is $MY_WORKDIR AGENT_WORKDIR=${MY_WORKDIR}/agent-workdir SRCDIR=${MY_WORKDIR}/src-dir WARDIR=${MY_WORKDIR}/dest-war-dir WAR_WEBDIR=${MY_WORKDIR}/dest-war-webdir export AGENT_WORKDIR SRCDIR WARDIR WAR_WEBDIR mkdir -p ${AGENT_WORKDIR} ${SRCDIR} ${WARDIR} ${WAR_WEBDIR} ARTIFACTNAME=jenkins BASE=$(pwd) SSH_OPTS= VERSION=2.456 WAR=${SRCDIR}/jenkins.war WAR_SHASUM=${SRCDIR}/jenkins.war.sha256 export ARTIFACTNAME BASE VERSION SSH_OPTS WAR WAR_SHASUM PKGSERVER=localhost export PKGSERVER (cd $SRCDIR && wget https://get.jenkins.io/war/${VERSION}/jenkins.war) (cd $SRCDIR && wget https://get.jenkins.io/war/${VERSION}/jenkins.war.sha256) (cd $SRCDIR && wget https://repo.jenkins-ci.org/artifactory/releases/org/jenkins-ci/main/jenkins-war/${VERSION}/jenkins-war-${VERSION}.war.asc && mv jenkins-war-${VERSION}.war.asc jenkins.war.asc) echo "WARDIR contents before publish:" && ls ${WARDIR} echo bash -v war/publish/publish.sh echo "WARDIR contents after publish:" && ls ${WARDIR}/ echo "WARDIR/VERSION contents after publish:" && ls ${WARDIR}/${VERSION}/
There was a problem hiding this comment.
Have you verified the two callers (https://github.com/jenkinsci/packaging/blob/0f615197fb8721509f673f8d7d60d91d073e639e/prep.sh and the corresponding code in jenkins-infra/release pending
Lines 5 to 9 in 0f61519
.asc file as input to this script?
I attempted to verify the utils/release.bash caller by downloading the 2.456 console output from the release job. It includes the following output lines: I believe those lines correspond to the definition of I haven't confirmed that the prep.sh script provides the |
|
But those lines you referenced are executed by the Those publish scripts in the The actual entrypoint, like the one in the For the above reason, my blocking review remains. |
|
Suggested solution is to replace the call to As an alternative strategy, a prerequisite refactoring could be first performed to factor the However, since the duplicate code already exists today, I wouldn't insist on that refactoring as part of my blocking review. It would certainly suffice to change the duplicate code in both places, and postpone the refactoring to a future time. |
I like that approach. I'll plan to implement that approach. |
Copy PGP signature of war file to get.jenkins.io
Fixes jenkins-infra/helpdesk#4055
Since get.jenkins.io already includes the SHA-256 checksum file for the war file and it is copied to two destinations in this script, it seems like a good place to copy the ASCII-armored PGP signatures for the war at the same time.
The sha256 file shows that the file downloaded by the user is the same file that was uploaded.
The asc file shows that the uploaded file was signed by the Jenkins PGP signing key.
Testing done
Confirmed that the 2.456 asc matches the war file with:
Confirmed that the script changes worked as expected with the following commands:
Submitter checklist