Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify Artifactory download before publishing #535

Open
basil opened this issue May 1, 2024 · 3 comments
Open

Verify Artifactory download before publishing #535

basil opened this issue May 1, 2024 · 3 comments
Labels
feature

Comments

@basil
Copy link
Contributor

basil commented May 1, 2024

While reading this code to review an unrelated PR, I noticed that the package job in the release repository downloads the WAR file produced by the release job in the release repository from Artifactory using the jv tool, which does not appear to do any certificate verification or checksum verification. This means that any problem in the download would not be detected. For example, if the server closes the connection and we get a truncated file, we would likely happily drive on to publish that truncated WAR file. Or if, for some reason, there was a bit flip or filesystem corruption on the downloaded file (a phenomenon that seems unlikely but which I have personally observed with my own two eyes multiple times in my career), we would happily publish the corrupt artifact.

After downloading the WAR file from Artifactory with jv, we should verify it somehow—either by checksum or by verifying the GPG signature.
@basil basil added the feature label May 1, 2024
@basil
Copy link
Contributor Author

basil commented May 1, 2024

You would hope that

mvn dependency:get -Dartifact=org.jenkins-ci.main:jenkins-war:${JENKINS_VERSION}:war -DremoteRepositories=repo.jenkins-ci.org::default::https://repo.jenkins-ci.org/releases -Dtransitive=false

somehow does checksum validation, but based on https://maven.apache.org/resolver/expected-checksums.html it appears to be implemented only for Sonatype Nexus 2 ETag headers, and I confirmed the ETag returned by Artifactory does not match the expected format.

Artifactory does store checksums, and provides them via its REST API, so one option would be to fetch the SHA1 checksum with the Artifactory REST API and then verify the download with it.

Experimental observation with wget -S https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/2.452/jenkins-war-2.452.war shows that Artifactory seems to send the MD5 checksum in an ETag header, but it's unclear whether that is a stable API that can be relied on or merely a side effect of Artifactory using S3 storage, which defaults to providing an MD5 checksum in an ETag header but may be subject to change in the future.

@basil
Copy link
Contributor Author

basil commented May 1, 2024

I confirmed that Artifactory provides an accurate SHA256 checksum via curl -s https://repo.jenkins-ci.org/api/storage/releases/org/jenkins-ci/main/jenkins-war/2.452/jenkins-war-2.452.war | jq -r .checksums.sha256 so this seems like the most straightforward option.

@basil
Copy link
Contributor Author

basil commented May 1, 2024

I seem to have stumbled on an even simpler way to get it from Artifactory: wget https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/2.452/jenkins-war-2.452.war.sha256.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@basil