chore: verify WAR signature when downloading it

Author: lemeurherve

.ci/publish.sh

@@ -90,15 +90,13 @@ mkdir -p target
 BUILD_METADATA_PATH="target/build-result-metadata_${BAKE_TARGET}_${metadata_suffix}.json"
 build_opts+=("--metadata-file=${BUILD_METADATA_PATH}")
 
-WAR_SHA="$(curl --disable --fail --silent --show-error --location "https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/${JENKINS_VERSION}/jenkins-war-${JENKINS_VERSION}.war.sha256")"
 COMMIT_SHA=$(git rev-parse HEAD)
-export COMMIT_SHA JENKINS_VERSION WAR_SHA LATEST_WEEKLY LATEST_LTS BUILD_METADATA_PATH
+export COMMIT_SHA JENKINS_VERSION LATEST_WEEKLY LATEST_LTS BUILD_METADATA_PATH
 
 cat <<EOF
 Using the following settings:
 * JENKINS_REPO: ${JENKINS_REPO}
 * JENKINS_VERSION: ${JENKINS_VERSION}
-* WAR_SHA: ${WAR_SHA}
 * COMMIT_SHA: ${COMMIT_SHA}
 * LATEST_WEEKLY: ${LATEST_WEEKLY}
 * LATEST_LTS: ${LATEST_LTS}

HACKING.adoc

@@ -161,7 +161,6 @@ Dry run, will not publish images
 Using the following settings:
 * JENKINS_REPO: jenkins/jenkins
 * JENKINS_VERSION: 2.528.3
-* WAR_SHA: bfa31f1e3aacebb5bce3d5076c73df97bf0c0567eeb8d8738f54f6bac48abd74
 * COMMIT_SHA: 1c72a9383191562eb3c44838aeeadad0839c2c92
 * LATEST_WEEKLY: false
 * LATEST_LTS: true
@@ -179,7 +178,6 @@ $ ./.ci/publish.sh -n
 Using the following settings:
 * JENKINS_REPO: jenkins/jenkins
 * JENKINS_VERSION: 2.528.3
-* WAR_SHA: bfa31f1e3aacebb5bce3d5076c73df97bf0c0567eeb8d8738f54f6bac48abd74
 * COMMIT_SHA: aaf4e7faf887b7ac4879c3bf540ede48220cca9f
 * LATEST_WEEKLY: false
 * LATEST_LTS: true
@@ -211,7 +209,6 @@ Using the following settings:
         "JAVA_VERSION": "25.0.1_8",
         "JENKINS_VERSION": "2.528.3",
         "PLUGIN_CLI_VERSION": "2.13.2",
-        "WAR_SHA": "bfa31f1e3aacebb5bce3d5076c73df97bf0c0567eeb8d8738f54f6bac48abd74",
         "WAR_URL": "https://get.jenkins.io/war-stable/2.528.3/jenkins.war"
       },
       "tags": [

Jenkinsfile

@@ -34,7 +34,6 @@ if (SIMULATE_LTS_BUILD) {
         'TAG_NAME=2.504.3',
         // TODO: replace by the first LTS based on 2.534+ when available
         'JENKINS_VERSION=2.541.1',
-        'WAR_SHA=8b12678aa6f9550b06825b006f9096186b17a7b857e9b68ad3f980d9f430fc94',
         // Filter out golden file based testing
         // To filter out all tests, set BATS_FLAGS="--filter-tags none"
         'BATS_FLAGS=--filter-tags "\\!test-type:golden-file"'

alpine/hotspot/Dockerfile

@@ -97,18 +97,17 @@ RUN mkdir -p ${REF}/init.groovy.d
 ARG JENKINS_VERSION
 ENV JENKINS_VERSION=${JENKINS_VERSION:-2.547}
 
-# jenkins.war checksum, download will be validated using it
-ARG WAR_SHA=ef0301ce35bff7ead76201a8202acad6338568f0832666a2672831b260e08088
-
 # Can be used to customize where jenkins.war get downloaded from
 ARG WAR_URL=https://get.jenkins.io/war/${JENKINS_VERSION}/jenkins.war
+COPY jenkins.io-2026.key /tmp/jenkins-key.pub
 
-# could use ADD but this one does not check Last-Modified header neither does it allow to control checksum
+# could use ADD but this one does not check Last-Modified header
 # see https://github.com/docker/docker/issues/8331
-RUN curl -fsSL ${WAR_URL} -o /usr/share/jenkins/jenkins.war \
-  && echo "${WAR_SHA}  /usr/share/jenkins/jenkins.war" >/tmp/war_sha \
-  && sha256sum -c --strict /tmp/war_sha \
-  && rm -f /tmp/war_sha
+RUN curl -fsSL "${WAR_URL}" -o /usr/share/jenkins/jenkins.war \
+  && curl -fsSL "${WAR_URL}.asc" -o /tmp/jenkins.war.asc \
+  && gpg --import /tmp/jenkins-key.pub \
+  && gpg --verify --trust-model direct /tmp/jenkins.war.asc /usr/share/jenkins/jenkins.war \
+  && rm -f /tmp/*
 
 ENV JENKINS_UC=https://updates.jenkins.io
 ENV JENKINS_UC_EXPERIMENTAL=https://updates.jenkins.io/experimental
@@ -118,9 +117,9 @@ RUN chown -R ${user} "$JENKINS_HOME" "$REF"
 ARG PLUGIN_CLI_VERSION=2.13.2
 ARG PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/${PLUGIN_CLI_VERSION}/jenkins-plugin-manager-${PLUGIN_CLI_VERSION}.jar
 RUN curl -fsSL ${PLUGIN_CLI_URL} -o /opt/jenkins-plugin-manager.jar \
-  && echo "$(curl -fsSL "${PLUGIN_CLI_URL}.sha256")  /opt/jenkins-plugin-manager.jar" >/tmp/war_sha \
-  && sha256sum -c --strict /tmp/war_sha \
-  && rm -f /tmp/war_sha
+  && echo "$(curl -fsSL "${PLUGIN_CLI_URL}.sha256")  /opt/jenkins-plugin-manager.jar" >/tmp/jpm_sha \
+  && sha256sum -c --strict /tmp/jpm_sha \
+  && rm -f /tmp/jpm_sha
 
 # for main web interface:
 EXPOSE ${http_port}

debian/Dockerfile

@@ -111,18 +111,17 @@ RUN mkdir -p ${REF}/init.groovy.d
 ARG JENKINS_VERSION
 ENV JENKINS_VERSION=${JENKINS_VERSION:-2.547}
 
-# jenkins.war checksum, download will be validated using it
-ARG WAR_SHA=ef0301ce35bff7ead76201a8202acad6338568f0832666a2672831b260e08088
-
 # Can be used to customize where jenkins.war get downloaded from
 ARG WAR_URL=https://get.jenkins.io/war/${JENKINS_VERSION}/jenkins.war
+COPY jenkins.io-2026.key /tmp/jenkins-key.pub
 
-# could use ADD but this one does not check Last-Modified header neither does it allow to control checksum
+# could use ADD but this one does not check Last-Modified header
 # see https://github.com/docker/docker/issues/8331
-RUN curl -fsSL ${WAR_URL} -o /usr/share/jenkins/jenkins.war \
-  && echo "${WAR_SHA}  /usr/share/jenkins/jenkins.war" >/tmp/war_sha \
-  && sha256sum -c --strict /tmp/war_sha \
-  && rm -f /tmp/war_sha
+RUN curl -fsSL "${WAR_URL}" -o /usr/share/jenkins/jenkins.war \
+  && curl -fsSL "${WAR_URL}.asc" -o /tmp/jenkins.war.asc \
+  && gpg --import /tmp/jenkins-key.pub \
+  && gpg --verify --trust-model direct /tmp/jenkins.war.asc /usr/share/jenkins/jenkins.war \
+  && rm -f /tmp/*
 
 ENV JENKINS_UC=https://updates.jenkins.io
 ENV JENKINS_UC_EXPERIMENTAL=https://updates.jenkins.io/experimental
@@ -132,9 +131,9 @@ RUN chown -R ${user} "$JENKINS_HOME" "$REF"
 ARG PLUGIN_CLI_VERSION=2.13.2
 ARG PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/${PLUGIN_CLI_VERSION}/jenkins-plugin-manager-${PLUGIN_CLI_VERSION}.jar
 RUN curl -fsSL ${PLUGIN_CLI_URL} -o /opt/jenkins-plugin-manager.jar \
-  && echo "$(curl -fsSL "${PLUGIN_CLI_URL}.sha256")  /opt/jenkins-plugin-manager.jar" >/tmp/war_sha \
-  && sha256sum -c --strict /tmp/war_sha \
-  && rm -f /tmp/war_sha
+  && echo "$(curl -fsSL "${PLUGIN_CLI_URL}.sha256")  /opt/jenkins-plugin-manager.jar" >/tmp/jpm_sha \
+  && sha256sum -c --strict /tmp/jpm_sha \
+  && rm -f /tmp/jpm_sha
 
 # for main web interface:
 EXPOSE ${http_port}

docker-bake.hcl

@@ -15,10 +15,6 @@ variable "JENKINS_VERSION" {
   default = "2.547"
 }
 
-variable "WAR_SHA" {
-  default = "ef0301ce35bff7ead76201a8202acad6338568f0832666a2672831b260e08088"
-}
-
 variable "WAR_URL" {
   default = ""
 }
@@ -115,7 +111,6 @@ target "alpine" {
   context    = "."
   args = {
     JENKINS_VERSION    = JENKINS_VERSION
-    WAR_SHA            = WAR_SHA
     WAR_URL            = war_url()
     COMMIT_SHA         = COMMIT_SHA
     PLUGIN_CLI_VERSION = PLUGIN_CLI_VERSION
@@ -136,7 +131,6 @@ target "debian" {
   context    = "."
   args = {
     JENKINS_VERSION     = JENKINS_VERSION
-    WAR_SHA             = WAR_SHA
     WAR_URL             = war_url()
     COMMIT_SHA          = COMMIT_SHA
     PLUGIN_CLI_VERSION  = PLUGIN_CLI_VERSION
@@ -158,7 +152,6 @@ target "rhel" {
   context    = "."
   args = {
     JENKINS_VERSION    = JENKINS_VERSION
-    WAR_SHA            = WAR_SHA
     WAR_URL            = war_url()
     COMMIT_SHA         = COMMIT_SHA
     PLUGIN_CLI_VERSION = PLUGIN_CLI_VERSION
@@ -180,7 +173,6 @@ target "windowsservercore" {
   context    = "."
   args = {
     JENKINS_VERSION    = JENKINS_VERSION
-    WAR_SHA            = WAR_SHA
     WAR_URL            = war_url()
     COMMIT_SHA         = COMMIT_SHA
     PLUGIN_CLI_VERSION = PLUGIN_CLI_VERSION

jenkins.io-2026.key

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGlJRoMBEADGTw4Jms5rD1Wd0evqpTkNBgAIvCzvsjgGXHevmNIsDmm/niiE
+gKJlrl73T9d8GZeoacsAqwGTIq29ZA1jEt1lUZ8YkVxD3VxoL0RBhgMcy3qhiu37
+mQN1mzuItob8P2pft5pPqCWQDojXRpnMB/BTHgbtIH3i4chKVLJoCEX/Gw7abDbj
+cUpoKMTByd0+Zv2OBtdm7ZOYXHObPmSqRoiYNiCsW3mZRsgN1LkwTl5IwJQ7Xpj8
+9J4DK1Y6Fuyxi+QTbZk9Z3inrTx3pbARPd91MylIsOtuXkUFNQkA/ZWnKHTFgWQA
+qx//KrsCKLe6r3+CQ4/1R4F7jHjBB01qHrxofEzGo0LB/+QNwf1ISqD7piw20IMt
+vhlOqdsF2MQQAeyg8fv4nuLglI9ueh4T5FJabp6oL0QDozx1toa5Q58n0nX8gSBq
+3VTd8FkzTTsaihyypWmzbdVPwAAfXhRh7sNAUvALkq4vj/EWjPruQElWyP8DwmiC
+Aq8iduFb66oN58vlT1rf3z/jJH3FeByVEHEymz4E9rhBN1oOUQ++ONqCMOZHwnpY
+K549A+mHrK12RDQTYjgbi9BH2ktPqPUE37rZDoGN9hzZ9dqG8dMEEz5qVMzsGhuw
+nm1d86yQRUzscHwgPELc7xiIuV3taLf2KI4qSHTDmq6nRFxcgKI2LGFfcwARAQAB
+tDJKZW5raW5zIFByb2plY3QgPGplbmtpbnNjaS1ib2FyZEBnb29nbGVncm91cHMu
+Y29tPokCVwQTAQgAQRYhBF44bq21XwFQTK6Lz3GY9LcUq/xoBQJpSUaDAhsDBQkF
+o5qABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEHGY9LcUq/xouboP/1Zd
+KxZXkTj20jnBn8MJ9scr17wzGLy2/EaAelbfeIYmsWJ6A7ZuuUw/41dUbTuI3k3D
+Ta1Ft0oO5K63sJqvTQzUdas6x3HMsjYSo+YtbRZnMmR/KO4//5Lewm3LPQnCV662
+8ZI73T22msQAbyxa8do56dmBT4N/NO6oGFZI6JBFnkiIlXmKDzm3aiEZi//piN3X
+PZgtu8wHqpFleJXUbCpk8Db69xTjdXhnFpaYg29VrzvD/0jBEZE47Bekrl6YgjJ8
+CKyhaPWZfxYxNeuVRTn+yxlAcDc8o9tboSKnlZ8HSOBPbf36qmLKbD4rPQmTAVgJ
+hwBY2mxDUT5hTVom25KeyueIyN4l6OZEoLxcq5GxN85RkU2Zfq1jodpnm/PnF47Y
+7qS4zu8bOOeUCFpJXG3kDYo34tkFKk5CT8PJLHdjgLWGvhQeL95ytPvrTLkEj4yk
+6SXHH4EcKimgi0c/zotnzv997kGCpoMZoeIXpkhrTJoZvSQqFpeCamFRwl/AfM/l
+ppyH905Cm/GcB+W0hQqTsA0wm+6ZQn4fAR/rhqRk4Ka1TuX2ow3OQKlyoA4EgvdI
+41MQEw4y9spjH2RgyJpOAgIagidECrFJbqNcyzHUZUxcD7fKMRaiv5LepxVLXZ0/
+XDDBGd3AXh6nv2BTDhoE+ZI1suWZAMwvxyoFDDFO
+=8CuH
+-----END PGP PUBLIC KEY BLOCK-----

make.ps1

@@ -4,7 +4,7 @@ Param(
     # Default script target
     [String] $Target = 'build',
     # Jenkins version to include
-    [String] $JenkinsVersion = '2.534',
+    [String] $JenkinsVersion = '2.547',
     # Windows flavor and windows version to build
     [String] $ImageType = 'windowsservercore-ltsc2022',
     # Generate a docker compose file even if it already exists
@@ -57,11 +57,6 @@ if([String]::IsNullOrWhiteSpace($env:WAR_URL)) {
     $env:WAR_URL = 'https://get.jenkins.io/{0}/{1}/jenkins.war' -f $releaseLine, $env:JENKINS_VERSION
 }
 
-# Retrieve the sha256 corresponding to the war file
-$warShaURL = '{0}.sha256' -f $env:WAR_URL
-$webClient = New-Object System.Net.WebClient
-$env:WAR_SHA = $webClient.DownloadString($warShaURL).Split(' ')[0]
-
 # Check for required commands
 Function Test-CommandExists {
     Param (

rhel/Dockerfile

@@ -101,18 +101,17 @@ RUN curl -fsSL "https://github.com/krallin/tini/releases/download/${TINI_VERSION
 ARG JENKINS_VERSION
 ENV JENKINS_VERSION=${JENKINS_VERSION:-2.547}
 
-# jenkins.war checksum, download will be validated using it
-ARG WAR_SHA=ef0301ce35bff7ead76201a8202acad6338568f0832666a2672831b260e08088
-
 # Can be used to customize where jenkins.war get downloaded from
 ARG WAR_URL=https://get.jenkins.io/war/${JENKINS_VERSION}/jenkins.war
+COPY jenkins.io-2026.key /tmp/jenkins-key.pub
 
-# could use ADD but this one does not check Last-Modified header neither does it allow to control checksum
+# could use ADD but this one does not check Last-Modified header
 # see https://github.com/docker/docker/issues/8331
-RUN curl -fsSL ${WAR_URL} -o /usr/share/jenkins/jenkins.war \
-  && echo "${WAR_SHA}  /usr/share/jenkins/jenkins.war" >/tmp/war_sha \
-  && sha256sum -c --strict /tmp/war_sha \
-  && rm -f /tmp/war_sha
+RUN curl -fsSL "${WAR_URL}" -o /usr/share/jenkins/jenkins.war \
+  && curl -fsSL "${WAR_URL}.asc" -o /tmp/jenkins.war.asc \
+  && gpg --import /tmp/jenkins-key.pub \
+  && gpg --verify --trust-model direct /tmp/jenkins.war.asc /usr/share/jenkins/jenkins.war \
+  && rm -f /tmp/*
 
 ENV JENKINS_UC=https://updates.jenkins.io
 ENV JENKINS_UC_EXPERIMENTAL=https://updates.jenkins.io/experimental
@@ -122,9 +121,9 @@ RUN chown -R ${user} "$JENKINS_HOME" "$REF"
 ARG PLUGIN_CLI_VERSION=2.13.2
 ARG PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/${PLUGIN_CLI_VERSION}/jenkins-plugin-manager-${PLUGIN_CLI_VERSION}.jar
 RUN curl -fsSL ${PLUGIN_CLI_URL} -o /opt/jenkins-plugin-manager.jar \
-  && echo "$(curl -fsSL "${PLUGIN_CLI_URL}.sha256")  /opt/jenkins-plugin-manager.jar" >/tmp/war_sha \
-  && sha256sum -c --strict /tmp/war_sha \
-  && rm -f /tmp/war_sha
+  && echo "$(curl -fsSL "${PLUGIN_CLI_URL}.sha256")  /opt/jenkins-plugin-manager.jar" >/tmp/jpm_sha \
+  && sha256sum -c --strict /tmp/jpm_sha \
+  && rm -f /tmp/jpm_sha
 
 # for main web interface:
 EXPOSE ${http_port}

updatecli/updatecli.d/jenkins-version-simulated-lts.yaml

@@ -28,11 +28,6 @@ sources:
           \d+\.\d+\.1$
     transformers:
       - trimprefix: "jenkins-"
-  latestWarSha:
-    kind: shell
-    name: Get latest Jenkins Core LTS sha256 checksum
-    spec:
-      command: curl --disable --fail --silent --show-error --location "https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/{{ source "latestVersion" }}/jenkins-war-{{ source "latestVersion" }}.war.sha256"
 
 conditions:
   isDockerImagePublished:
@@ -74,17 +69,6 @@ targets:
       file: tests/golden/expected_tags_latest_lts.txt
       matchpattern: :(\d+\.\d+\.\d+)
       replacepattern: :{{ source "latestVersion" }}
-  updateWarSha:
-    name: Update default value of simulated LTS WAR_SHA in Jenkinsfile
-    kind: file
-    scmid: default
-    sourceid: latestWarSha
-    spec:
-      file: Jenkinsfile
-      matchpattern: >-
-        'WAR_SHA=(.*)'
-      content: >-
-        'WAR_SHA={{ source "latestWarSha" }}'
 
 actions:
   default: