[JENKINS-75905] Include update site URL in signature verification error messages

Author: adhamahmad

core/src/main/java/hudson/model/UpdateSite.java

@@ -294,7 +294,29 @@ protected UpdateCenter.InstallationJob createInstallationJob(Plugin plugin, Upda
      */
     @Restricted(NoExternalUse.class)
     public final FormValidation verifySignatureInternal(JSONObject o) throws IOException {
-        return getJsonSignatureValidator().verifySignature(o);
+        FormValidation result = getJsonSignatureValidator().verifySignature(o);
+
+        if (result.kind == FormValidation.Kind.ERROR) {
+            String message = result.getMessage();
+            if (message != null) {
+//                String siteUrl = getUrl();
+                String updatedMessage;
+
+                if (message.contains("update site") && message.contains(" Path") && !message.contains(url)) {
+                    // Ensure the update site URL is included in error messages by replacing the site identifier in messages of the 'update site … Path' pattern or appending it otherwise.
+                    updatedMessage = message.replaceAll(
+                            "(update site\\s+).*?(\\s+Path)",
+                            "$1" + url + "$2"
+                    );
+                } else {
+                    // Do not alter message structure; only add URL context
+                    updatedMessage = message + " (URL: " + url + ")";
+                }
+                return FormValidation.error(updatedMessage);
+            }
+        }
+
+        return result;
     }
 
     /**

core/src/main/java/jenkins/util/JSONSignatureValidator.java

@@ -138,7 +138,9 @@ public FormValidation verifySignature(JSONObject o) throws IOException {
             if (warning != null)  return warning;
             return FormValidation.ok();
         } catch (GeneralSecurityException e) {
-            return FormValidation.error(e, "Signature verification failed in " + name);
+            // Return a user-friendly error message without the full stack trace
+            String rootCauseMessage = getRootCauseMessage(e);
+            return FormValidation.error("Signature verification failed in " + name + ": " + rootCauseMessage);
         }
     }
 
@@ -321,5 +323,25 @@ protected Set<TrustAnchor> loadTrustAnchors(CertificateFactory cf) throws IOExce
         return anchors;
     }
 
+    /**
+     * Extracts a user-friendly message from an exception chain.
+     *
+     * @param e the exception to extract the message from
+     * @return a concise, readable error message
+     */
+    private String getRootCauseMessage(Throwable e) {
+        Throwable cause = e;
+        while (cause.getCause() != null && cause.getCause() != cause) {
+            cause = cause.getCause();
+        }
+
+        String message = cause.getMessage();
+        if (message != null && !message.isEmpty()) {
+            return message;
+        }
+
+        return cause.getClass().getSimpleName();
+    }
+
     private static final Logger LOGGER = Logger.getLogger(JSONSignatureValidator.class.getName());
 }

test/src/test/java/hudson/model/UpdateSiteTest.java

@@ -299,4 +299,24 @@ private PluginWrapper buildPluginWrapper(String name, String wikiUrl) {
                 new ArrayList<>()
         );
     }
+
+    @Test
+    void signatureVerificationFailureIncludesUpdateSiteUrl() throws Exception {
+        // Create an UpdateSite with an invalid/malformed signature that will trigger an error
+        URL url = new URL(baseUrl, "/plugins/invalid-signature-update-center.json");
+        UpdateSite site = new UpdateSite(UpdateCenter.ID_DEFAULT, url.toString());
+        overrideUpdateSite(site);
+
+        FormValidation validation = site.updateDirectlyNow(true);
+
+        assertEquals(FormValidation.Kind.ERROR, validation.kind);
+
+        String message = validation.getMessage();
+        assertNotNull(message);
+        assertTrue(
+                message.contains(url.toString()),
+                "Signature verification error should include update site URL"
+        );
+    }
+
 }

test/src/test/resources/plugins/invalid-signature-update-center.json

@@ -0,0 +1,17 @@
+{
+  "updateCenterVersion": "1",
+  "connectionCheckUrl": "http://www.google.com/",
+  "core": {
+    "name": "core",
+    "version": "2.0",
+    "url": "http://updates.jenkins-ci.org/download/war/2.0/jenkins.war"
+  },
+  "plugins": {},
+  "signature": {
+    "certificates": [
+      "InvalidBase64CertificateDataThatWillFailValidation=="
+    ],
+    "correct_digest": "invalid_digest_value",
+    "correct_signature": "invalid_signature_value"
+  }
+}