search

jenkinsci / allure-plugin

Allure Jenkins Plugin
https://plugins.jenkins.io/allure-jenkins-plugin/
Other
84 stars 63 forks source link

Certificate expiration of the plugin when checking for plugin updates on Jenkins startup #292

Closed ricardojdsilva87 closed 3 years ago

ricardojdsilva87 commented 3 years ago

Version report

Jenkins and plugins versions report:

Jenkins: 2.289.1
OS: Linux - 4.9.0-14-amd64
---
sshd:3.0.3
jdk-tool:1.0
command-launcher:1.2
jaxb:2.3.0
docker-java-api:3.1.5.2
blueocean-github-pipeline:1.24.7
branch-api:2.6.4
config-file-provider:3.8.0
github:1.33.1
pubsub-light:1.16
mask-passwords:3.0
ws-cleanup:0.39
jquery:1.12.4-1
blueocean-config:1.24.7
favorite:2.3.3
matrix-auth:2.6.7
ssh-slaves:1.32.0
aws-java-sdk:1.11.995
script-security:1.77
blueocean-personalization:1.24.7
jquery3-api:3.6.0-1
kubernetes:1.30.0
pipeline-model-definition:1.8.5
docker-plugin:1.2.2
momentjs:1.1.1
http_request:1.9.0
git:4.7.2
handlebars:3.0.8
allure-jenkins-plugin:2.29.0
checks-api:1.7.0
scm-api:2.6.4
docker-commons:1.17
warnings-ng:9.2.1
h2-api:1.4.199
docker-build-publish:1.3.3
saml:2.0.6
docker-workflow:1.26
blueocean-autofavorite:1.2.4
pipeline-model-api:1.8.5
jacoco:3.3.0
pipeline-milestone-step:1.3.2
jsch:0.1.55.2
resource-disposer:0.16
blueocean:1.24.7
analysis-model-api:10.2.5
parameterized-trigger:2.41
blueocean-pipeline-api-impl:1.24.7
kubernetes-credentials:0.9.0
credentials-binding:1.26
blueocean-display-url:2.4.1
aws-secrets-manager-credentials-provider:0.5.3
popper2-api:2.5.4-2
pipeline-utility-steps:2.8.0
maven-metadata-plugin:2.0.0
pipeline-input-step:2.12
matrix-project:1.19
job-dsl:1.77
pipeline-stage-step:2.5
authentication-tokens:1.4
build-name-setter:2.2.0
workflow-cps:2.92
caffeine-api:2.9.1-23.v51c4e2c879c8
bootstrap4-api:4.6.0-3
jira-steps:1.6.0
confluence-publisher:2.0.6
github-branch-source:2.11.1
email-ext:2.83
blueocean-i18n:1.24.7
nested-view:1.20
timestamper:1.13
plugin-util-api:2.3.0
github-api:1.123
bootstrap5-api:5.0.1-2
Office-365-Connector:4.15.0
pitmutation:1.0-18
token-macro:2.15
aws-credentials:1.29
antisamy-markup-formatter:2.1
blueocean-commons:1.24.7
workflow-support:3.8
junit:1.50
pipeline-model-extensions:1.8.5
slack:2.48
blueocean-pipeline-editor:1.24.7
git-server:1.9
maven-plugin:3.12
blueocean-events:1.24.7
jjwt-api:0.11.2-9.c8b45b8bb173
jackson2-api:2.12.3
pipeline-maven:3.10.0
sse-gateway:1.24
blueocean-git-pipeline:1.24.7
basic-branch-build-strategies:1.3.2
blueocean-bitbucket-pipeline:1.24.7
pipeline-graph-analysis:1.11
workflow-basic-steps:2.23
cloudbees-bitbucket-branch-source:2.9.9
blueocean-jwt:1.24.7
durable-task:1.37
mattermost:3.1.1
fitnesse:1.34
git-client:3.7.2
m2release:0.16.2
kubernetes-client-api:5.4.1
multibranch-scan-webhook-trigger:1.0.5
blueocean-rest:1.24.7
okhttp-api:3.14.9
datadog:2.13.0
mashup-portlets-plugin:1.1.2
pipeline-rest-api:2.19
performance:3.19
run-condition:1.5
apache-httpcomponents-client-4-api:4.5.13-1.0
jenkins-design-language:1.24.7
pipeline-stage-view:2.19
metrics:4.0.2.8
github-scm-trait-commit-skip:0.4.0
simple-theme-plugin:0.6
structs:1.23
git-parameter:0.9.13
htmlpublisher:1.25
cucumber-reports:5.5.0
blueocean-core-js:1.24.7
mailer:1.34
nvm-wrapper:0.1.7
workflow-aggregator:2.6
extended-choice-parameter:0.82
generic-webhook-trigger:1.74
trilead-api:1.0.13
configuration-as-code:1.51
pipeline-build-step:2.13
ghprb:1.42.2
github-oauth:0.33
pipeline-githubnotify-step:1.0.5
build-user-vars-plugin:1.7
ace-editor:1.1
blueocean-dashboard:1.24.7
snakeyaml-api:1.29.1
javadoc:1.6
echarts-api:5.1.2-2
amazon-ecr:1.6
blueocean-web:1.24.7
conditional-buildstep:1.4.1
forensics-api:1.1.0
pipeline-stage-tags-metadata:1.8.5
handy-uri-templates-2-api:2.1.8-1.0
workflow-scm-step:2.13
ssh-credentials:1.19
authorize-project:1.4.0
workflow-step-api:2.23
variant:1.4
envinject-api:1.7
ssh-agent:1.23
bouncycastle-api:2.20
cloudbees-folder:6.15
workflow-multibranch:2.26
blueocean-rest-impl:1.24.7
popper-api:1.16.1-2
font-awesome-api:5.15.3-3
workflow-cps-global-lib:2.21
workflow-job:2.41
display-url-api:2.3.5
build-timeout:1.20
uno-choice:2.5.6
workflow-api:2.46
copyartifact:1.46.1
role-strategy:3.1.1
credentials:2.5
envinject:2.4.0
lockable-resources:2.11
dashboard-view:2.17
data-tables-api:1.10.25-1
sonar:2.13.1
blueocean-pipeline-scm-api:1.24.7
plain-credentials:1.7
workflow-durable-task-step:2.39

Reproduction steps

Results

Expected result:

Having an issue with Jenkins checking for plugins updates due to an issue with the allure plugin certificate that expired on the 27th June 2021. After removing the plugin from the plugin version list and the configuration of the tool from the casc configuration the error disappeared. Version 2.28.1 of the plugin has the same result.

tool:
  allure:
    installations:
    - name: "allure"
      properties:
      - installSource:
          installers:
          - allureCommandlineInstaller:
              id: "2.13.9"

Jenkins startups with just that error on the console logs. Checking the UI we have the following error on the plugins page: image

Actual result:

2021-06-29 09:11:39.105+0000 [id=80]    WARNING h.m.DownloadService$Downloadable#updateNow: signature check failed for https://updates.jenkins.io/updates/ru.yandex.qatools.allure.jenkins.tools.AllureCommandlineInstaller.json
ERROR: Signature verification failed in downloadable &#039;ru.yandex.qatools.allure.jenkins.tools.AllureCommandlineInstaller&#039; <a href='#' class='showDetails'>(show details)</a><pre style='display:none'>java.security.cert.CertificateExpiredException: NotAfter: Sun Jun 27 12:02:28 CEST 2021<br>  at java.base/sun.security.x509.CertificateValidity.valid(CertificateValidity.java:277)<br>  at java.base/sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:675)<br>    at java.base/sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)<br>  at java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)<br>   at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)<br>Caused: java.security.cert.CertPathValidatorException: validity check failed<br>  at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)<br>  at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224)<br>  at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144)<br>  at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)<br> at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)<br>  at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)<br>    at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:89)<br>  at hudson.model.DownloadService$Downloadable.updateNow(DownloadService.java:388)<br>    at hudson.PluginManager.checkUpdatesServer(PluginManager.java:1895)<br> at hudson.util.Retrier.start(Retrier.java:63)<br>   at hudson.PluginManager.doCheckUpdatesServer(PluginManager.java:1859)<br>   at jenkins.DailyCheck.execute(DailyCheck.java:93)<br>   at hudson.model.AsyncPeriodicWork.lambda$doRun$0(AsyncPeriodicWork.java:100)<br>    at java.base/java.lang.Thread.run(Thread.java:829)<br></pre>
    at hudson.util.FormValidation._errorWithMarkup(FormValidation.java:269)
    at hudson.util.FormValidation._error(FormValidation.java:201)
    at hudson.util.FormValidation.error(FormValidation.java:191)
    at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:138)
    at hudson.model.DownloadService$Downloadable.updateNow(DownloadService.java:388)
    at hudson.PluginManager.checkUpdatesServer(PluginManager.java:1895)
    at hudson.util.Retrier.start(Retrier.java:63)
    at hudson.PluginManager.doCheckUpdatesServer(PluginManager.java:1859)
    at jenkins.DailyCheck.execute(DailyCheck.java:93)
    at hudson.model.AsyncPeriodicWork.lambda$doRun$0(AsyncPeriodicWork.java:100)
    at java.base/java.lang.Thread.run(Thread.java:829)

UPDATE:

Found that the error is triggered by Jenkins core code here It seems that the issue might come from some kind of generated file by Allure. Maybe this function triggers the generation of the faulty XML file? ru.yandex.qatools.allure.jenkins.tools.AllureCommandlineInstaller

Thanks

HristoStoyanovMM commented 3 years ago

We have encountered the exact same problem.

ThomasPatzig commented 3 years ago

I have found the root issue will be very cool if you found a solution very soon

nenych commented 3 years ago

Also can't install Allure plugin, error:

ERROR: Signature verification failed in downloadable 'ru.yandex.qatools.allure.jenkins.tools.AllureCommandlineInstaller' (show details)

java.security.cert.CertificateExpiredException: NotAfter: Sun Jun 27 10:02:28 UTC 2021
 at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:277)
    at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:677)
  at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
    at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
 at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
Caused: java.security.cert.CertPathValidatorException: validity check failed
    at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
    at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
    at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
    at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
   at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
    at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)
    at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:89)
  at hudson.model.DownloadService$Downloadable.updateNow(DownloadService.java:388)
    at jenkins.DailyCheck.execute(DailyCheck.java:84)
   at hudson.model.AsyncPeriodicWork.lambda$doRun$0(AsyncPeriodicWork.java:100)
    at java.lang.Thread.run(Thread.java:748)
at hudson.util.FormValidation._errorWithMarkup(FormValidation.java:269) at hudson.util.FormValidation._error(FormValidation.java:201) at hudson.util.FormValidation.error(FormValidation.java:191) at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:138) at hudson.model.DownloadService$Downloadable.updateNow(DownloadService.java:388) at jenkins.DailyCheck.execute(DailyCheck.java:84) at hudson.model.AsyncPeriodicWork.lambda$doRun$0(AsyncPeriodicWork.java:100) at java.lang.Thread.run(Thread.java:748)

felipecrs commented 3 years ago

Exact same error here. One workaround is to add -Dhudson.model.DownloadService.noSignatureCheck=true to JAVA_OPTS, but it is a workaround, the definitive solution must come from the plugin I think.

HristoStoyanovMM commented 3 years ago

Exact same error here. One workaround is to add -Dhudson.model.DownloadService.noSignatureCheck=true to JAVA_OPTS, but it is a workaround, the definitive solution must come from the plugin I think.

That's a security threat from my perspective. In fact, I wouldn't update any plugins except allure until this problem is resolved, as I might install/update something published by a bad actor.

ThomasPatzig commented 3 years ago

For now it looks like that it is fixed from another side...

see issue on jenkins.io

https://issues.jenkins.io/browse/JENKINS-60229

ricardojdsilva87 commented 3 years ago

Hello, I can confirm that the issue is now gone after reenabling the plugin installation. Haven't change a thing in my configuration. Will close the ticket. Thanks