When downloading some files where the file extension is .pkg (e.g. artifact.pkg) but the file is downloaded with a .zip extension. The files in question, when uploaded by Jenkins, are stored with the metadata Content-Type application/zip. Other files with different MIME types are unaffected. This only appears to be an issue when downloaded using the magic link generated by Jenkins (with a short lived token), not when downloaded from MinIO without the additional magic link (or through the web console).
For e.g.:
https://minio-api.domain.com/jenkins-builds/5/artifact.pkg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20250731T183125Z&X-Amz-SignedHeaders=host&X-Amz-Credential=----------E7P15%2F20250731%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=3600&X-Amz-Signature=3c295c792518c9440cb0a4e3544055-----------------------
results in artifact.zip being downloaded
https://minio-api.domain.com/jenkins-builds/5/artifact.pkg results in artifact.pkg being downloaded
(Actual URLs obfuscated, secrets partially obfuscated with dashes)
In our case an easy mitigation would be be to let us specify anonymous download in Artifact Manager settings, letting users download the artifacts anonymously without creating a massive link with embedded credentials, however, this wouldn't fix the root cause.
Originally reported by ajaincdsc, imported from: S3 Artifact Manager file extension changes on download
- status: Open
- priority: Major
- component(s): artifact-manager-s3-plugin
- resolution: Unresolved
- votes: 1
- watchers: 2
- imported: 2025-12-02
Raw content of original issue
When downloading some files where the file extension is .pkg (e.g. artifact.pkg) but the file is downloaded with a .zip extension. The files in question, when uploaded by Jenkins, are stored with the metadata Content-Type application/zip. Other files with different MIME types are unaffected. This only appears to be an issue when downloaded using the magic link generated by Jenkins (with a short lived token), not when downloaded from MinIO without the additional magic link (or through the web console).
For e.g.:
https://minio-api.domain.com/jenkins-builds/5/artifact.pkg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20250731T183125Z&X-Amz-SignedHeaders=host&X-Amz-Credential=----------E7P15%2F20250731%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=3600&X-Amz-Signature=3c295c792518c9440cb0a4e3544055-----------------------
results in artifact.zip being downloaded
https://minio-api.domain.com/jenkins-builds/5/artifact.pkg results in artifact.pkg being downloaded
(Actual URLs obfuscated, secrets partially obfuscated with dashes)
In our case an easy mitigation would be be to let us specify anonymous download in Artifact Manager settings, letting users download the artifacts anonymously without creating a massive link with embedded credentials, however, this wouldn't fix the root cause.
environment
Jenkins 2.504.3 running in Docker on Debian 12 using the official jenkins/jenkins:2.504.3-lts image accessed through Traefik reverse proxy to handle HTTPS<br/>
S3 backend - MinIO running in Docker (quay.io/minio/minio:RELEASE.2025-04-22T22-12-26Z) accessed through Traefik reverse proxy to handle HTTPS <br/>
Jenkins: 2.504.3<br/>
OS: Linux - 6.1.0-37-amd64<br/>
Java: 21.0.7 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)<br/>
---<br/>
ArtifactoryArtifactManager:1.3.1<br/>
Office-365-Connector:5.1.0<br/>
ace-editor:1.1<br/>
active-directory:2.40<br/>
analysis-model-api:13.7.0<br/>
ant:513.vde9e7b_a_0da_0f<br/>
antisamy-markup-formatter:173.v680e3a_b_69ff3<br/>
apache-httpcomponents-client-4-api:4.5.14-269.vfa_2321039a_83<br/>
apache-httpcomponents-client-5-api:5.5-150.veb_76e719855b_<br/>
artifact-manager-s3:949.v2567c4c52d79<br/>
artifactory:4.0.8<br/>
asm-api:9.8-163.vb_2a_96d3f9c3c<br/>
authentication-tokens:1.131.v7199556c3004<br/>
aws-credentials:248.v78a_dcfc9db_ff<br/>
aws-global-configuration:146.vfcec61593eea_<br/>
aws-java-sdk-ec2:1.12.780-480.v4a_0819121a_9e<br/>
aws-java-sdk-minimal:1.12.780-480.v4a_0819121a_9e<br/>
aws-java-sdk2-core:2.31.63-54.vcf1e5a_c56c49<br/>
aws-java-sdk2-ec2:2.31.63-54.vcf1e5a_c56c49<br/>
aws-java-sdk2-s3:2.31.63-54.vcf1e5a_c56c49<br/>
blueocean:1.27.21<br/>
blueocean-autofavorite:1.2.5<br/>
blueocean-bitbucket-pipeline:1.27.21<br/>
blueocean-commons:1.27.21<br/>
blueocean-config:1.27.21<br/>
blueocean-core-js:1.27.21<br/>
blueocean-dashboard:1.27.21<br/>
blueocean-display-url:2.4.4<br/>
blueocean-events:1.27.21<br/>
blueocean-git-pipeline:1.27.21<br/>
blueocean-github-pipeline:1.27.21<br/>
blueocean-i18n:1.27.21<br/>
blueocean-jira:1.27.21<br/>
blueocean-jwt:1.27.21<br/>
blueocean-personalization:1.27.21<br/>
blueocean-pipeline-api-impl:1.27.21<br/>
blueocean-pipeline-editor:1.27.21<br/>
blueocean-pipeline-scm-api:1.27.21<br/>
blueocean-rest:1.27.21<br/>
blueocean-rest-impl:1.27.21<br/>
blueocean-web:1.27.21<br/>
bootstrap5-api:5.3.7-1<br/>
bouncycastle-api:2.30.1.80-261.v00c0e2618ec3<br/>
branch-api:2.1235.v04e86c7ce54c<br/>
build-monitor-plugin:1.14-985.v7b_f37b_3d0b_f5<br/>
build-timeout:1.38<br/>
build-timestamp:1.1.0<br/>
built-on-column:1.5<br/>
caffeine-api:3.2.2-178.v353b_8428ed56<br/>
checks-api:373.vfe7645102093<br/>
cloud-stats:377.vd8a_6c953e98e<br/>
cloudbees-bitbucket-branch-source:936.4.4<br/>
cloudbees-folder:6.1036.vb_94fd035b_287<br/>
command-launcher:123.v37cfdc92ef67<br/>
commons-collections4-api:4.5.0-8.va_d5448ef9011<br/>
commons-compress-api:1.27.1-3<br/>
commons-lang3-api:3.18.0-98.v3a_674c06072d<br/>
commons-text-api:1.14.0-194.v804a_dc3a_1b_d8<br/>
conditional-buildstep:1.5.0<br/>
config-file-provider:988.v0461fcc2b_9d1<br/>
copyartifact:770.va_6c69e063442<br/>
credentials:1419.v2337d1ceceef<br/>
credentials-binding:702.vfe613e537e88<br/>
dashboard-view:2.537.v5132851f6ca_f<br/>
data-tables-api:2.3.2-3<br/>
display-url-api:2.209.v582ed814ff2f<br/>
docker-commons:457.v0f62a_94f11a_3<br/>
docker-java-api:3.5.2-119.v54c784c71fa_3<br/>
docker-plugin:1274.vc0203fdf2e74<br/>
docker-workflow:621.va_73f881d9232<br/>
doxygen:178.v6ea_ef5f7dfdb<br/>
dtkit-api:3.0.3<br/>
durable-task:595.ve87b_f1318d67<br/>
echarts-api:5.6.0-5<br/>
eddsa-api:0.3.0.1-19.vc432d923e5ee<br/>
email-ext:1922.v5c93c9e80a_f9<br/>
envinject:2.926.v69c9b_3896a_96<br/>
envinject-api:1.235.va_14c74f8f487<br/>
external-monitor-job:223.vb_fddcf42c9b_3<br/>
favorite:2.237.v79163ca_8b_892<br/>
file-operations:353.vf3b_9b_a_f1f7f7<br/>
font-awesome-api:7.0.0-1<br/>
forensics-api:3.1.0<br/>
git:5.7.0<br/>
git-changelog:3.45<br/>
git-client:6.2.0<br/>
git-server:137.ve0060b_432302<br/>
github:1.44.0<br/>
github-api:1.321-488.v9b_c0da_9533f8<br/>
github-branch-source:1833.v77b_6542df5a_8<br/>
gitlab-api:5.6.0-100.v83f8f4b_f1129<br/>
gitlab-oauth:1.22<br/>
gitlab-plugin:1.9.8<br/>
gradle:2.15<br/>
gson-api:2.13.1-153.vb_3d0c48a_a_b_4a_<br/>
handlebars:1.1.1<br/>
handy-uri-templates-2-api:2.1.8-36.v85e4cb_234a_13<br/>
htmlpublisher:427<br/>
hudson-pview-plugin:1.8<br/>
influxdb:5.0<br/>
instance-identity:203.v15e81a_1b_7a_38<br/>
ionicons-api:88.va_4187cb_eddf1<br/>
ivy:582.v35fb_da_0312f7<br/>
jackson2-api:2.19.2-408.v18248a_324cfe<br/>
jakarta-activation-api:2.1.3-2<br/>
jakarta-mail-api:2.1.3-2<br/>
javadoc:327.vdfe586651ee0<br/>
javax-activation-api:1.2.0-8<br/>
javax-mail-api:1.6.2-11<br/>
jaxb:2.3.9-133.vb_ec76a_73f706<br/>
jdk-tool:83.v417146707a_3d<br/>
jenkins-design-language:1.27.21<br/>
jenkins-webterminal:1.2<br/>
jersey2-api:2.47-165.ve7809a_3e87e0<br/>
jira:3.18<br/>
jjwt-api:0.11.5-120.v0268cf544b_89<br/>
jobConfigHistory:1343.v4b_e819a_ecdc2<br/>
joda-time-api:2.14.0-149.v1c3ce991d1b_9<br/>
jquery-detached:1.2.1<br/>
jquery3-api:3.7.1-3<br/>
jsch:0.2.16-95.v3eecb_55fa_b_78<br/>
json-api:20250517-163.v1c5da_e99c775<br/>
json-path-api:2.9.0-178.vca_b_c71881321<br/>
jsoup:1.21.1-58.vfc578e6e2610<br/>
junit:1335.v6b_a_a_e18534e1<br/>
ldap:780.vcb_33c9a_e4332<br/>
lockable-resources:1408.vb_7d1f371781d<br/>
log-parser:2.5.0<br/>
mailer:509.vc54d23fc427e<br/>
mapdb-api:1.0.9-44.va_1e1310c9118<br/>
matrix-auth:3.2.6<br/>
matrix-project:849.v0cd64ed7e531<br/>
maven-plugin:3.26<br/>
mercurial:1309.v6802b_f0efb_b_9<br/>
mina-sshd-api-common:2.15.0-161.vb_200831a_c15b_<br/>
mina-sshd-api-core:2.15.0-161.vb_200831a_c15b_<br/>
modernstatus:1.3<br/>
momentjs:1.1.1<br/>
msbuild:1.37<br/>
nested-view:241.v178f0b_a_cd76a_<br/>
next-build-number:66.v4b_4762172d53<br/>
nodejs:1.6.5<br/>
nomad:0.10.0<br/>
okhttp-api:4.11.0-189.v976fa_d3379d6<br/>
oss-symbols-api:390.va_22c30a_b_23a_2<br/>
pam-auth:1.12<br/>
parameterized-trigger:859.vb_e3907a_07a_16<br/>
pipeline-build-step:571.v08a_fffd4b_0ce<br/>
pipeline-github-lib:65.v203688e7727e<br/>
pipeline-graph-analysis:241.vc3d48fb_b_2582<br/>
pipeline-groovy-lib:752.vdddedf804e72<br/>
pipeline-input-step:532.v9e7466cb_4406<br/>
pipeline-milestone-step:138.v78ca_76831a_43<br/>
pipeline-model-api:2.2258.v4e96d2b_da_f9b_<br/>
pipeline-model-definition:2.2258.v4e96d2b_da_f9b_<br/>
pipeline-model-extensions:2.2258.v4e96d2b_da_f9b_<br/>
pipeline-multibranch-defaults:2.1<br/>
pipeline-rest-api:2.38<br/>
pipeline-stage-step:322.vecffa_99f371c<br/>
pipeline-stage-tags-metadata:2.2258.v4e96d2b_da_f9b_<br/>
pipeline-stage-view:2.38<br/>
pipeline-utility-steps:2.19.0<br/>
plain-credentials:199.v9f8e1f741799<br/>
plugin-usage-plugin:4.10<br/>
plugin-util-api:6.1.0<br/>
postbuild-task:78.v24529f1f5cdb_<br/>
powershell:2.3<br/>
prism-api:1.30.0-1<br/>
pubsub-light:1.19<br/>
release:2.19<br/>
resource-disposer:0.25<br/>
run-condition:243.v3c3f94e46a_8b_<br/>
scm-api:707.v749f968369d4<br/>
script-security:1373.vb_b_4a_a_c26fa_00<br/>
short-workspace-path:0.3<br/>
simple-theme-plugin:211.v5424a_5510e47<br/>
snakeyaml-api:2.3-125.v4d77857a_b_402<br/>
sse-gateway:1.28<br/>
ssh-credentials:359.v2191c4cf635f<br/>
ssh-slaves:3.1071.v0d059c7b_c555<br/>
sshd:3.372.v5d04a_e92d8cf<br/>
structs:350.v3b_30f09f2363<br/>
subversion:1287.vd2d507146906<br/>
test-results-analyzer:309.vda_3a_a_f100542<br/>
text-finder:1.32<br/>
throttle-concurrents:2.16<br/>
timestamper:1.30<br/>
token-macro:444.v52de7e9c573d<br/>
trilead-api:2.209.v0e69b_c43c245<br/>
variant:70.va_d9f17f859e0<br/>
view-job-filters:401.va_809f6a_b_0c26<br/>
warnings-ng:12.8.0<br/>
workflow-aggregator:608.v67378e9d3db_1<br/>
workflow-api:1380.ve03e7a_63d139<br/>
workflow-basic-steps:1079.vce64b_a_929c5a_<br/>
workflow-cps:4169.vb_7e492a_1c7b_e<br/>
workflow-durable-task-step:1442.vb_a_b_f5f3da_9f9<br/>
workflow-job:1540.v295eccc9778f<br/>
workflow-multibranch:810.v6b_6e77da_7058<br/>
workflow-scm-step:437.v05a_f66b_e5ef8<br/>
workflow-step-api:704.ve4f0967e98fa_<br/>
workflow-support:968.v8f17397e87b_8<br/>
ws-cleanup:0.48<br/>
xunit:3.1.5<br/>
When downloading some files where the file extension is .pkg (e.g. artifact.pkg) but the file is downloaded with a .zip extension. The files in question, when uploaded by Jenkins, are stored with the metadata Content-Type application/zip. Other files with different MIME types are unaffected. This only appears to be an issue when downloaded using the magic link generated by Jenkins (with a short lived token), not when downloaded from MinIO without the additional magic link (or through the web console).
For e.g.:
https://minio-api.domain.com/jenkins-builds/5/artifact.pkg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20250731T183125Z&X-Amz-SignedHeaders=host&X-Amz-Credential=----------
E7P15%2F20250731%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=3600&X-Amz-Signature=3c295c792518c9440cb0a4e3544055-----------------------results in artifact.zip being downloaded
https://minio-api.domain.com/jenkins-builds/5/artifact.pkg results in artifact.pkg being downloaded
(Actual URLs obfuscated, secrets partially obfuscated with dashes)
In our case an easy mitigation would be be to let us specify anonymous download in Artifact Manager settings, letting users download the artifacts anonymously without creating a massive link with embedded credentials, however, this wouldn't fix the root cause.
Originally reported by ajaincdsc, imported from: S3 Artifact Manager file extension changes on download
Raw content of original issue
environment