Join GitHub today
Add support for SHA-256/512 in update site metadata #3356
If the update site metadata provides SHA-512 or SHA-256 checksums, check those.
This is intended as a security hardening. SHA-1 isn't a good choice anymore.
Companion PR in infra: jenkins-infra/update-center2#191. As Jenkins will continue to support update sites that only provide SHA-1 (for now, and with a warning), they could be merged independently, but probably should not be.
Proposed changelog entries
referenced this pull request
Mar 17, 2018
@oleg-nenashev This is on-hold because it depends on the corresponding PR to Jenkins project infra. Timeline:
This is ready to be reviewed etc. -- in fact, I invite feedback before I make infra changes.
What is the reason for the partial SHA-256 support if the update center only has SHA-1 and SHA-512 after jenkins-infra/update-center2#196? Is it so that if we eventually add SHA-256 back to the update center we don't have to modify as much code on the Jenkins side? Other than that question the changes look good to me.
I forgot to adapt the tool installer metadata as well, so on-holding this while Jenkins would show messages like this: