chore: verify WAR signature when downloading it (jenkinsci#2233)

Author: lemeurherve

.ci/publish.sh

@@ -90,15 +90,13 @@ mkdir -p target
 BUILD_METADATA_PATH="target/build-result-metadata_${BAKE_TARGET}_${metadata_suffix}.json"
 build_opts+=("--metadata-file=${BUILD_METADATA_PATH}")
 
-WAR_SHA="$(curl --disable --fail --silent --show-error --location "https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/${JENKINS_VERSION}/jenkins-war-${JENKINS_VERSION}.war.sha256")"
 COMMIT_SHA=$(git rev-parse HEAD)
-export COMMIT_SHA JENKINS_VERSION WAR_SHA LATEST_WEEKLY LATEST_LTS BUILD_METADATA_PATH
+export COMMIT_SHA JENKINS_VERSION LATEST_WEEKLY LATEST_LTS BUILD_METADATA_PATH
 
 cat <<EOF
 Using the following settings:
 * JENKINS_REPO: ${JENKINS_REPO}
 * JENKINS_VERSION: ${JENKINS_VERSION}
-* WAR_SHA: ${WAR_SHA}
 * COMMIT_SHA: ${COMMIT_SHA}
 * LATEST_WEEKLY: ${LATEST_WEEKLY}
 * LATEST_LTS: ${LATEST_LTS}

HACKING.adoc

@@ -161,7 +161,6 @@ Dry run, will not publish images
 Using the following settings:
 * JENKINS_REPO: jenkins/jenkins
 * JENKINS_VERSION: 2.528.3
-* WAR_SHA: bfa31f1e3aacebb5bce3d5076c73df97bf0c0567eeb8d8738f54f6bac48abd74
 * COMMIT_SHA: 1c72a9383191562eb3c44838aeeadad0839c2c92
 * LATEST_WEEKLY: false
 * LATEST_LTS: true
@@ -179,7 +178,6 @@ $ ./.ci/publish.sh -n
 Using the following settings:
 * JENKINS_REPO: jenkins/jenkins
 * JENKINS_VERSION: 2.528.3
-* WAR_SHA: bfa31f1e3aacebb5bce3d5076c73df97bf0c0567eeb8d8738f54f6bac48abd74
 * COMMIT_SHA: aaf4e7faf887b7ac4879c3bf540ede48220cca9f
 * LATEST_WEEKLY: false
 * LATEST_LTS: true
@@ -211,7 +209,6 @@ Using the following settings:
         "JAVA_VERSION": "25.0.1_8",
         "JENKINS_VERSION": "2.528.3",
         "PLUGIN_CLI_VERSION": "2.13.2",
-        "WAR_SHA": "bfa31f1e3aacebb5bce3d5076c73df97bf0c0567eeb8d8738f54f6bac48abd74",
         "WAR_URL": "https://get.jenkins.io/war-stable/2.528.3/jenkins.war"
       },
       "tags": [

Jenkinsfile

@@ -34,7 +34,9 @@ if (SIMULATE_LTS_BUILD) {
         'TAG_NAME=2.504.3',
         // TODO: replace by the first LTS based on 2.534+ when available
         'JENKINS_VERSION=2.504.3',
-        'WAR_SHA=ea8883431b8b5ef6b68fe0e5817c93dc0a11def380054e7de3136486796efeb0'
+        // Filter out golden file based testing
+        // To filter out all tests, set BATS_FLAGS="--filter-tags none"
+        'BATS_FLAGS=--filter-tags "\\!test-type:golden-file"'
     ]
 }
 

alpine/hotspot/Dockerfile

@@ -1,6 +1,6 @@
 ARG ALPINE_TAG=3.23.3
 
-FROM alpine:"${ALPINE_TAG}" AS jre-build
+FROM alpine:"${ALPINE_TAG}" AS jre-and-war
 
 ARG JAVA_VERSION=17.0.18_8
 
@@ -11,6 +11,7 @@ COPY jdk-download.sh /usr/bin/jdk-download.sh
 
 RUN apk add --no-cache \
     ca-certificates \
+    gnupg \
     jq \
     curl \
     && rm -fr /var/cache/apk/* \
@@ -40,6 +41,20 @@ RUN java_major_version="$(jlink --version 2>&1 | cut -c1-2)"; \
         --output /javaruntime; \
     fi
 
+# Jenkins version being bundled in this docker image
+ARG JENKINS_VERSION=2.534
+# Can be used to customize where jenkins.war get downloaded from
+ARG WAR_URL=https://get.jenkins.io/war/${JENKINS_VERSION}/jenkins.war
+
+COPY jenkins.io-2026.key /war/jenkins-key.pub
+
+# Not using ADD as it does not check Last-Modified header
+# see https://github.com/docker/docker/issues/8331
+RUN curl -fsSL "${WAR_URL}" -o /war/jenkins.war \
+  && curl -fsSL "${WAR_URL}.asc" -o /war/jenkins.war.asc \
+  && gpg --import /war/jenkins-key.pub \
+  && gpg --verify --trust-model direct /war/jenkins.war.asc /war/jenkins.war
+
 FROM alpine:"${ALPINE_TAG}" AS controller
 
 RUN apk add --no-cache \
@@ -48,7 +63,6 @@ RUN apk add --no-cache \
     curl \
     git \
     git-lfs \
-    gnupg \
     musl-locales \
     musl-locales-lang \
     openssh-client \
@@ -93,23 +107,6 @@ VOLUME $JENKINS_HOME
 # or config file with your custom jenkins Docker image.
 RUN mkdir -p ${REF}/init.groovy.d
 
-# jenkins version being bundled in this docker image
-ARG JENKINS_VERSION
-ENV JENKINS_VERSION=${JENKINS_VERSION:-2.547}
-
-# jenkins.war checksum, download will be validated using it
-ARG WAR_SHA=ef0301ce35bff7ead76201a8202acad6338568f0832666a2672831b260e08088
-
-# Can be used to customize where jenkins.war get downloaded from
-ARG WAR_URL=https://get.jenkins.io/war/${JENKINS_VERSION}/jenkins.war
-
-# could use ADD but this one does not check Last-Modified header neither does it allow to control checksum
-# see https://github.com/docker/docker/issues/8331
-RUN curl -fsSL ${WAR_URL} -o /usr/share/jenkins/jenkins.war \
-  && echo "${WAR_SHA}  /usr/share/jenkins/jenkins.war" >/tmp/war_sha \
-  && sha256sum -c --strict /tmp/war_sha \
-  && rm -f /tmp/war_sha
-
 ENV JENKINS_UC=https://updates.jenkins.io
 ENV JENKINS_UC_EXPERIMENTAL=https://updates.jenkins.io/experimental
 ENV JENKINS_INCREMENTALS_REPO_MIRROR=https://repo.jenkins-ci.org/incrementals
@@ -118,9 +115,9 @@ RUN chown -R ${user} "$JENKINS_HOME" "$REF"
 ARG PLUGIN_CLI_VERSION=2.13.2
 ARG PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/${PLUGIN_CLI_VERSION}/jenkins-plugin-manager-${PLUGIN_CLI_VERSION}.jar
 RUN curl -fsSL ${PLUGIN_CLI_URL} -o /opt/jenkins-plugin-manager.jar \
-  && echo "$(curl -fsSL "${PLUGIN_CLI_URL}.sha256")  /opt/jenkins-plugin-manager.jar" >/tmp/war_sha \
-  && sha256sum -c --strict /tmp/war_sha \
-  && rm -f /tmp/war_sha
+  && echo "$(curl -fsSL "${PLUGIN_CLI_URL}.sha256")  /opt/jenkins-plugin-manager.jar" >/tmp/jpm_sha \
+  && sha256sum -c --strict /tmp/jpm_sha \
+  && rm -f /tmp/jpm_sha
 
 # for main web interface:
 EXPOSE ${http_port}
@@ -132,14 +129,17 @@ ENV COPY_REFERENCE_FILE_LOG=$JENKINS_HOME/copy_reference_file.log
 
 ENV JAVA_HOME=/opt/java/openjdk
 ENV PATH="${JAVA_HOME}/bin:${PATH}"
-COPY --from=jre-build /javaruntime $JAVA_HOME
+COPY --from=jre-and-war /javaruntime $JAVA_HOME
+COPY --from=jre-and-war /war/jenkins.war /usr/share/jenkins/jenkins.war
 
 USER ${user}
 
 COPY jenkins-support /usr/local/bin/jenkins-support
 COPY jenkins.sh /usr/local/bin/jenkins.sh
 COPY jenkins-plugin-cli.sh /bin/jenkins-plugin-cli
 
+ARG JENKINS_VERSION=2.534
+
 ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/jenkins.sh"]
 
 # metadata labels

debian/Dockerfile

@@ -3,7 +3,7 @@ ARG TRIXIE_TAG=20251103
 ARG DEBIAN_RELEASE_LINE=trixie
 ARG DEBIAN_VERSION=20251117
 ARG DEBIAN_VARIANT="-slim"
-FROM debian:"${DEBIAN_RELEASE_LINE}-${DEBIAN_VERSION}${DEBIAN_VARIANT}" AS jre-build
+FROM debian:"${DEBIAN_RELEASE_LINE}-${DEBIAN_VERSION}${DEBIAN_VARIANT}" AS jre-and-war
 
 ARG JAVA_VERSION=17.0.18_8
 
@@ -16,6 +16,7 @@ RUN apt-get update \
   && apt-get install --no-install-recommends -y \
     ca-certificates \
     curl \
+    gnupg \
     jq \
   && rm -rf /var/lib/apt/lists/* \
   && /usr/bin/jdk-download.sh
@@ -44,15 +45,27 @@ RUN java_major_version="$(jlink --version 2>&1 | cut -c1-2)"; \
         --output /javaruntime; \
     fi
 
+# Jenkins version being bundled in this docker image
+ARG JENKINS_VERSION=2.534
+# Can be used to customize where jenkins.war get downloaded from
+ARG WAR_URL=https://get.jenkins.io/war/${JENKINS_VERSION}/jenkins.war
+
+COPY jenkins.io-2026.key /war/jenkins-key.pub
+
+# Not using ADD as it does not check Last-Modified header
+# see https://github.com/docker/docker/issues/8331
+RUN curl -fsSL "${WAR_URL}" -o /war/jenkins.war \
+  && curl -fsSL "${WAR_URL}.asc" -o /war/jenkins.war.asc \
+  && gpg --import /war/jenkins-key.pub \
+  && gpg --verify --trust-model direct /war/jenkins.war.asc /war/jenkins.war
+
 FROM debian:"${DEBIAN_RELEASE_LINE}-${DEBIAN_VERSION}${DEBIAN_VARIANT}" AS controller
 
 RUN apt-get update \
   && apt-get install -y --no-install-recommends \
     ca-certificates \
     curl \
     git \
-    gnupg \
-    gpg \
     libfontconfig1 \
     libfreetype6 \
     procps \
@@ -107,23 +120,6 @@ VOLUME $JENKINS_HOME
 # or config file with your custom jenkins Docker image.
 RUN mkdir -p ${REF}/init.groovy.d
 
-# jenkins version being bundled in this docker image
-ARG JENKINS_VERSION
-ENV JENKINS_VERSION=${JENKINS_VERSION:-2.547}
-
-# jenkins.war checksum, download will be validated using it
-ARG WAR_SHA=ef0301ce35bff7ead76201a8202acad6338568f0832666a2672831b260e08088
-
-# Can be used to customize where jenkins.war get downloaded from
-ARG WAR_URL=https://get.jenkins.io/war/${JENKINS_VERSION}/jenkins.war
-
-# could use ADD but this one does not check Last-Modified header neither does it allow to control checksum
-# see https://github.com/docker/docker/issues/8331
-RUN curl -fsSL ${WAR_URL} -o /usr/share/jenkins/jenkins.war \
-  && echo "${WAR_SHA}  /usr/share/jenkins/jenkins.war" >/tmp/war_sha \
-  && sha256sum -c --strict /tmp/war_sha \
-  && rm -f /tmp/war_sha
-
 ENV JENKINS_UC=https://updates.jenkins.io
 ENV JENKINS_UC_EXPERIMENTAL=https://updates.jenkins.io/experimental
 ENV JENKINS_INCREMENTALS_REPO_MIRROR=https://repo.jenkins-ci.org/incrementals
@@ -132,9 +128,9 @@ RUN chown -R ${user} "$JENKINS_HOME" "$REF"
 ARG PLUGIN_CLI_VERSION=2.13.2
 ARG PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/${PLUGIN_CLI_VERSION}/jenkins-plugin-manager-${PLUGIN_CLI_VERSION}.jar
 RUN curl -fsSL ${PLUGIN_CLI_URL} -o /opt/jenkins-plugin-manager.jar \
-  && echo "$(curl -fsSL "${PLUGIN_CLI_URL}.sha256")  /opt/jenkins-plugin-manager.jar" >/tmp/war_sha \
-  && sha256sum -c --strict /tmp/war_sha \
-  && rm -f /tmp/war_sha
+  && echo "$(curl -fsSL "${PLUGIN_CLI_URL}.sha256")  /opt/jenkins-plugin-manager.jar" >/tmp/jpm_sha \
+  && sha256sum -c --strict /tmp/jpm_sha \
+  && rm -f /tmp/jpm_sha
 
 # for main web interface:
 EXPOSE ${http_port}
@@ -146,14 +142,17 @@ ENV COPY_REFERENCE_FILE_LOG=$JENKINS_HOME/copy_reference_file.log
 
 ENV JAVA_HOME=/opt/java/openjdk
 ENV PATH="${JAVA_HOME}/bin:${PATH}"
-COPY --from=jre-build /javaruntime $JAVA_HOME
+COPY --from=jre-and-war /javaruntime $JAVA_HOME
+COPY --from=jre-and-war /war/jenkins.war /usr/share/jenkins/jenkins.war
 
 USER ${user}
 
 COPY jenkins-support /usr/local/bin/jenkins-support
 COPY jenkins.sh /usr/local/bin/jenkins.sh
 COPY jenkins-plugin-cli.sh /bin/jenkins-plugin-cli
 
+ARG JENKINS_VERSION=2.534
+
 ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/jenkins.sh"]
 
 # metadata labels

docker-bake.hcl

@@ -15,10 +15,6 @@ variable "JENKINS_VERSION" {
   default = "2.547"
 }
 
-variable "WAR_SHA" {
-  default = "ef0301ce35bff7ead76201a8202acad6338568f0832666a2672831b260e08088"
-}
-
 variable "WAR_URL" {
   default = ""
 }
@@ -115,7 +111,6 @@ target "alpine" {
   context    = "."
   args = {
     JENKINS_VERSION    = JENKINS_VERSION
-    WAR_SHA            = WAR_SHA
     WAR_URL            = war_url()
     COMMIT_SHA         = COMMIT_SHA
     PLUGIN_CLI_VERSION = PLUGIN_CLI_VERSION
@@ -136,7 +131,6 @@ target "debian" {
   context    = "."
   args = {
     JENKINS_VERSION     = JENKINS_VERSION
-    WAR_SHA             = WAR_SHA
     WAR_URL             = war_url()
     COMMIT_SHA          = COMMIT_SHA
     PLUGIN_CLI_VERSION  = PLUGIN_CLI_VERSION
@@ -158,7 +152,6 @@ target "rhel" {
   context    = "."
   args = {
     JENKINS_VERSION    = JENKINS_VERSION
-    WAR_SHA            = WAR_SHA
     WAR_URL            = war_url()
     COMMIT_SHA         = COMMIT_SHA
     PLUGIN_CLI_VERSION = PLUGIN_CLI_VERSION
@@ -180,7 +173,6 @@ target "windowsservercore" {
   context    = "."
   args = {
     JENKINS_VERSION    = JENKINS_VERSION
-    WAR_SHA            = WAR_SHA
     WAR_URL            = war_url()
     COMMIT_SHA         = COMMIT_SHA
     PLUGIN_CLI_VERSION = PLUGIN_CLI_VERSION

jenkins.io-2026.key

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGlJRoMBEADGTw4Jms5rD1Wd0evqpTkNBgAIvCzvsjgGXHevmNIsDmm/niiE
+gKJlrl73T9d8GZeoacsAqwGTIq29ZA1jEt1lUZ8YkVxD3VxoL0RBhgMcy3qhiu37
+mQN1mzuItob8P2pft5pPqCWQDojXRpnMB/BTHgbtIH3i4chKVLJoCEX/Gw7abDbj
+cUpoKMTByd0+Zv2OBtdm7ZOYXHObPmSqRoiYNiCsW3mZRsgN1LkwTl5IwJQ7Xpj8
+9J4DK1Y6Fuyxi+QTbZk9Z3inrTx3pbARPd91MylIsOtuXkUFNQkA/ZWnKHTFgWQA
+qx//KrsCKLe6r3+CQ4/1R4F7jHjBB01qHrxofEzGo0LB/+QNwf1ISqD7piw20IMt
+vhlOqdsF2MQQAeyg8fv4nuLglI9ueh4T5FJabp6oL0QDozx1toa5Q58n0nX8gSBq
+3VTd8FkzTTsaihyypWmzbdVPwAAfXhRh7sNAUvALkq4vj/EWjPruQElWyP8DwmiC
+Aq8iduFb66oN58vlT1rf3z/jJH3FeByVEHEymz4E9rhBN1oOUQ++ONqCMOZHwnpY
+K549A+mHrK12RDQTYjgbi9BH2ktPqPUE37rZDoGN9hzZ9dqG8dMEEz5qVMzsGhuw
+nm1d86yQRUzscHwgPELc7xiIuV3taLf2KI4qSHTDmq6nRFxcgKI2LGFfcwARAQAB
+tDJKZW5raW5zIFByb2plY3QgPGplbmtpbnNjaS1ib2FyZEBnb29nbGVncm91cHMu
+Y29tPokCVwQTAQgAQRYhBF44bq21XwFQTK6Lz3GY9LcUq/xoBQJpSUaDAhsDBQkF
+o5qABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEHGY9LcUq/xouboP/1Zd
+KxZXkTj20jnBn8MJ9scr17wzGLy2/EaAelbfeIYmsWJ6A7ZuuUw/41dUbTuI3k3D
+Ta1Ft0oO5K63sJqvTQzUdas6x3HMsjYSo+YtbRZnMmR/KO4//5Lewm3LPQnCV662
+8ZI73T22msQAbyxa8do56dmBT4N/NO6oGFZI6JBFnkiIlXmKDzm3aiEZi//piN3X
+PZgtu8wHqpFleJXUbCpk8Db69xTjdXhnFpaYg29VrzvD/0jBEZE47Bekrl6YgjJ8
+CKyhaPWZfxYxNeuVRTn+yxlAcDc8o9tboSKnlZ8HSOBPbf36qmLKbD4rPQmTAVgJ
+hwBY2mxDUT5hTVom25KeyueIyN4l6OZEoLxcq5GxN85RkU2Zfq1jodpnm/PnF47Y
+7qS4zu8bOOeUCFpJXG3kDYo34tkFKk5CT8PJLHdjgLWGvhQeL95ytPvrTLkEj4yk
+6SXHH4EcKimgi0c/zotnzv997kGCpoMZoeIXpkhrTJoZvSQqFpeCamFRwl/AfM/l
+ppyH905Cm/GcB+W0hQqTsA0wm+6ZQn4fAR/rhqRk4Ka1TuX2ow3OQKlyoA4EgvdI
+41MQEw4y9spjH2RgyJpOAgIagidECrFJbqNcyzHUZUxcD7fKMRaiv5LepxVLXZ0/
+XDDBGd3AXh6nv2BTDhoE+ZI1suWZAMwvxyoFDDFO
+=8CuH
+-----END PGP PUBLIC KEY BLOCK-----

make.ps1

@@ -57,11 +57,6 @@ if([String]::IsNullOrWhiteSpace($env:WAR_URL)) {
     $env:WAR_URL = 'https://get.jenkins.io/{0}/{1}/jenkins.war' -f $releaseLine, $env:JENKINS_VERSION
 }
 
-# Retrieve the sha256 corresponding to the war file
-$warShaURL = '{0}.sha256' -f $env:WAR_URL
-$webClient = New-Object System.Net.WebClient
-$env:WAR_SHA = $webClient.DownloadString($warShaURL).Split(' ')[0]
-
 # Check for required commands
 Function Test-CommandExists {
     Param (