[JENKINS-55659] Tool downloads are vulnerable to tampering

[timja]

List of references to external tools on update site are neither signed or hashed. This makes tools installer vulnerable to tampering. First content should be signed to prevent malicious third parties from modifying it and redirecting jenkins to download from unknown sources. Contents of urls should also be hashed to prevent malicious modifications at download source.

---

Originally reported by skorhone, imported from: Tool downloads are vulnerable to tampering

• status: Open
• priority: Minor
• resolution: Unresolved
• imported: 2022/01/10

[timja]

danielbeck:

List of references to external tools on update site are neither signed or hashed. This makes tools installer vulnerable to tampering. First content should be signed to prevent malicious third parties from modifying it and redirecting jenkins to download from unknown sources.

You're describing how it works today. In fact, INFRA-1944 demonstrates that Jenkins cares a lot about the signatures.

Contents of urls should also be hashed to prevent malicious modifications at download source.

Reasonable RFE. Likely not possible to do in core, but rather up to individual implementations.

[timja]

danielbeck:

Notably, a while back we moved all possible URLs to HTTPS to further limit problems. Since we're not actually providing the binaries ourselves, providing content hashes seems to invite problems in case they're ever (legitimately) changed.

[timja]

skorhone:

Is there an api in jenkins that plugins are using to download tools? If so, would it be possible to add feature similar to scripts? (script security) Having administrators approve tool installs and checksums might not be such a bad idea

[timja]

danielbeck:

If you don't trust the publicly provided installer URLs, don't configure them. You can always use the "Download an extract a zip file" installer at a location you control.