Skip to content

chore: verify WAR signature when downloading it #2233

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lemeurherve merged 2 commits into from
Jan 24, 2026
Merged

chore: verify WAR signature when downloading it #2233

lemeurherve merged 2 commits into from
Jan 24, 2026

Conversation

@lemeurherve
Copy link
Member

@lemeurherve lemeurherve commented Jan 23, 2026
edited
Loading

This change uses the GPG signature files now served from both pkg.jenkins.io and get.jenkins.io, and the new Jenkins PGP public key from 2026 (stored in this repository1) to verify Jenkins WAR signature on build.

Ref:

Testing done

$ make test

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests that demonstrate the feature works or the issue is fixed

Footnotes

  1. As that GPG public key is valid for 3 years and as builds will fail if expired, manually updating it when it arrives could be enough.

@lemeurherve lemeurherve force-pushed the verify-war-signature branch 17 times, most recently from 9e27a7a to 198d44f Compare January 24, 2026 11:14
@lemeurherve lemeurherve marked this pull request as ready for review January 24, 2026 11:48
@lemeurherve lemeurherve requested a review from a team as a code owner January 24, 2026 11:48
lemeurherve
lemeurherve commented Jan 24, 2026
View reviewed changes
dduportal
dduportal reviewed Jan 24, 2026
View reviewed changes
alpine/hotspot/Dockerfile
Comment on lines +51 to +54
# Not using ADD as it does not check Last-Modified header
# see https://github.com/docker/docker/issues/8331
RUN curl -fsSL "${WAR_URL}" -o /war/jenkins.war \
&& curl -fsSL "${WAR_URL}.asc" -o /war/jenkins.war.asc \
Copy link
Contributor

@dduportal dduportal Jan 24, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(nit) As per https://docs.docker.com/reference/dockerfile/#adding-files-from-a-url

If the HTTP response contains a Last-Modified header, the timestamp from that header will be used to set the mtime on the destination file. However, like any other file processed during an ADD, mtime isn't included in the determination of whether or not the file has changed and the cache should be updated.

=> we can totally delegate the file download to the Docker Engine with something like

Suggested change
# Not using ADD as it does not check Last-Modified header
# see https://github.com/docker/docker/issues/8331
RUN curl -fsSL "${WAR_URL}" -o /war/jenkins.war \
&& curl -fsSL "${WAR_URL}.asc" -o /war/jenkins.war.asc \
# Not using ADD as it does not check Last-Modified header
# see https://github.com/docker/docker/issues/8331
ADD "${WAR_URL}" /war/jenkins.war
ADD "${WAR_URL}.asc" /war/jenkins.war.asc

Copy link
Member Author

@lemeurherve lemeurherve Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

I suggest doing this change for all downloads in all images in another pull request.

Copy link
Contributor

@dduportal dduportal Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

I suggest doing this change for all downloads in all images in another pull request.

Yup, totally agreed \o/

dduportal
dduportal approved these changes Jan 24, 2026
View reviewed changes
Copy link
Contributor

@dduportal dduportal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@lemeurherve lemeurherve merged commit 857d526 into jenkinsci:master Jan 24, 2026
13 checks passed
@lemeurherve lemeurherve deleted the verify-war-signature branch January 24, 2026 19:05
@lemeurherve lemeurherve mentioned this pull request Jan 24, 2026
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dduportal dduportal dduportal approved these changes

Assignees

No one assigned

Labels

chore release-version:2.548

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lemeurherve @dduportal