GPG signatures on http://repo.jenkins-ci.org/ incorrect?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

GPG signatures on http://repo.jenkins-ci.org/ incorrect?

Steven Clark
Hello all,

Is anyone else aware that the GPG signatures seem to be faulty on the repo? Or am I not verifying them correctly?

gpg --verify jenkins-war-1.651.1.war.asc jenkins-war-1.651.1.war
gpg: Signature made Thu 14 Apr 2016 01:05:31 AM EDT using DSA key ID D50582E6
gpg: BAD signature from "Kohsuke Kawaguchi <[hidden email]>"


The files seem ok according to the sha1 files as well.

cat jenkins-war-1.651.1.war.sha1
31fcae60edba2ecb6c380c59f374761723981283

sha1sum jenkins-war-1.651.1.war
31fcae60edba2ecb6c380c59f374761723981283  jenkins-war-1.651.1.war

cat jenkins-war-1.651.1.war.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEABECAAYFAlcPJRsACgkQm30y8tUFgubFegCeMp4oYrIZxbhKLMrzsFhEIxet
wfAAniNy42DycpcdSuuubZngegbJiCYp
=PVM5
-----END PGP SIGNATURE-----

cat jenkins-war-1.651.1.war.asc.sha1
5a3f4bf88da314079dfbc269f6ac0b359cc96938

sha1sum jenkins-war-1.651.1.war.asc
5a3f4bf88da314079dfbc269f6ac0b359cc96938  jenkins-war-1.651.1.war.asc

-Steven

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7856451d-4ca4-49c8-9c49-c511252579c7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: GPG signatures on http://repo.jenkins-ci.org/ incorrect?

Daniel Beck

> On 22.04.2016, at 17:02, Steven Clark <[hidden email]> wrote:
>
> Is anyone else aware that the GPG signatures seem to be faulty on the repo? Or am I not verifying them correctly?

You're right. Something's wrong with KK's machine doing the signing (his local Maven repo is affected as well). I'm filing INFRA issues so we get this fixed.

Note that `jarsigner --verify` still works, so there's still a code integrity check you can do.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/DECFE445-3D8A-4F88-A021-89B1F5B09CF8%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: GPG signatures on http://repo.jenkins-ci.org/ incorrect?

Kohsuke Kawaguchi
Administrator
I figured out what was wrong. During the release process, GPG signing happened before jarsigner happened.

jarsigner inserts the signature into the war file, which changes the war. So the signature became invalid.

In 2.0 release, jarsigner somehow run before gpg, so it produced the correct signature.

I don't know how to force this ordering to Maven. I'll ask around.


On Friday, April 22, 2016 at 3:03:08 PM UTC-7, Daniel Beck wrote:

> On 22.04.2016, at 17:02, Steven Clark <[hidden email]> wrote:
>
> Is anyone else aware that the GPG signatures seem to be faulty on the repo? Or am I not verifying them correctly?

You're right. Something's wrong with KK's machine doing the signing (his local Maven repo is affected as well). I'm filing INFRA issues so we get this fixed.

Note that `jarsigner --verify` still works, so there's still a code integrity check you can do.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7e89469f-cfb7-4fb1-ad3b-08142a0cb298%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: GPG signatures on http://repo.jenkins-ci.org/ incorrect?

Steven Clark
In reply to this post by Daniel Beck


On Friday, April 22, 2016 at 6:03:08 PM UTC-4, Daniel Beck wrote:

> On 22.04.2016, at 17:02, Steven Clark <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="tti7x5wjMwAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">steven...@...> wrote:
>
> Is anyone else aware that the GPG signatures seem to be faulty on the repo? Or am I not verifying them correctly?

You're right. Something's wrong with KK's machine doing the signing (his local Maven repo is affected as well). I'm filing INFRA issues so we get this fixed.

Note that `jarsigner --verify` still works, so there's still a code integrity check you can do.


Great thanks for following up and letting me know about jarsigner as a workaround for now.

Regards,
-Steven

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/3081c141-2f77-4e99-8600-79d7a149068e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...