Add support for SHA-256/512 in update site metadata

[daniel-beck]

If the update site metadata provides SHA-512 or SHA-256 checksums, check those.

This is intended as a security hardening. SHA-1 isn't a good choice anymore.

Companion PR in infra: jenkins-infra/update-center2#191. As Jenkins will continue to support update sites that only provide SHA-1 (for now, and with a warning), they could be merged independently, but probably should not be.

Proposed changelog entries

• RFE: Check SHA-512 or SHA-256 checksums of update site metadata and core and plugin downloads if the update site provides them.

Submitter checklist

• [n/a] JIRA issue is well described
• Changelog entry appropriate for the audience affected by the change (users or developer, depending on the change). Examples
  * Use the Internal: prefix if the change has no user-visible impact (API, test frameworks, etc.)
• Appropriate autotests or explanation to why this change has no tests
• [n/a] For dependency updates: links to external changelogs and, if possible, full diffs

[Wadeck]

🐝 nothing seems weird.

Build failed but no errors are shown...

[oleg-nenashev]

@daniel-beck is it still on hold?

[daniel-beck]

@oleg-nenashev This is on-hold because it depends on the corresponding PR to Jenkins project infra. Timeline:

1. merge update-center2 PR
2. Run this PR build and confirm it works as expected against a live UC
3. Merge this.

This is ready to be reviewed etc. -- in fact, I invite feedback before I make infra changes.

[daniel-beck]

Corresponding infra change is merged.

@jenkinsci/code-reviewers Ping -- would like to land this this week.

[daniel-beck]

@rtyler objected to the massive increase in size of update-center.json, so I've followed up in jenkins-infra/update-center2#196 and need to adapt this PR.

[daniel-beck]

Rebased to current master.

I'm not convinced this needs adapting, will try the upcoming PR build.

[daniel-beck]

Un-onholding this. @jenkinsci/code-reviewers assemble!

[Wadeck]

🐝

[dwnusbaum]

What is the reason for the partial SHA-256 support if the update center only has SHA-1 and SHA-512 after jenkins-infra/update-center2#196? Is it so that if we eventually add SHA-256 back to the update center we don't have to modify as much code on the Jenkins side? Other than that question the changes look good to me.

[dwnusbaum]

Is the idea behind falling through here that if there is a SHA-512 collision that isn't also a SHA-256 or SHA-1 collision it will be caught by checking the other signatures?

[daniel-beck]

Basically, yes. Seems extremely unlikely that this is a likely case, but as the comment says, no real reason not to check the others, if they are defined.

[daniel-beck]

What is the reason for the partial SHA-256 support if the update center only has SHA-1 and SHA-512 after jenkins-infra/update-center2#196?

It's essentially free to support this way, and SHA-256 could be a desirable mode for some custom update sites.

[dwnusbaum]

It's essentially free to support this way, and SHA-256 could be a desirable mode for some custom update sites.

In that case, should we add support for SHA-256 to JSONSignatureValidator for consistency?

[daniel-beck]

In that case, should we add support for SHA-256 to JSONSignatureValidator for consistency?

That's probably a good idea. Let's see whether I can find the time to do this within this PR.

[dwnusbaum]

Looks good to me. I am fine with SHA-256 support being added to JSONSignatureValidator as a separate change.

[oleg-nenashev]

Looks good

[oleg-nenashev]

is it considered as weak now? Logging message would say so if there is no SHA-512

[oleg-nenashev]

I suggest to create a follow-up ticket to disable weak algorithms (e.g. via Security settings or system property)

[oleg-nenashev]

having one digest field and ENUM for type would simplify the logic below

[daniel-beck]

I forgot to adapt the tool installer metadata as well, so on-holding this while Jenkins would show messages like this:

INFO: JSON data source 'downloadable 'hudson.tasks.Maven.MavenInstaller'' does not provide a SHA-512 content checksum or signature. Looking for SHA-1.

[daniel-beck]

Un-onholding this, after releasing update-center2-2.0 and using it in jenkins-infra/crawler#77 tools metadata include the additional checksums.

Haven't attempted this PR build yet, but I expect this to resolve the problem from the previous comment.

[daniel-beck]

Jun 26, 2018 4:18:59 PM hudson.model.UpdateSite updateData
INFO: Obtained the latest update center data file for UpdateSource default
Jun 26, 2018 4:19:00 PM hudson.model.DownloadService$Downloadable load
INFO: Obtained the updated data file for hudson.tasks.Maven.MavenInstaller
Jun 26, 2018 4:19:00 PM hudson.model.DownloadService$Downloadable load
INFO: Obtained the updated data file for hudson.tasks.Ant.AntInstaller
Jun 26, 2018 4:19:01 PM hudson.model.DownloadService$Downloadable load
INFO: Obtained the updated data file for hudson.plugins.gradle.GradleInstaller
Jun 26, 2018 4:19:02 PM hudson.model.DownloadService$Downloadable load
INFO: Obtained the updated data file for hudson.tools.JDKInstaller

😃

[varyvol]

@daniel-beck please note the behavior for the 'verifyChecksums' method has changed, since no error was thrown previously if no SHA-1 was provided.