Skip to content

feat(package) publish the WAR signature file#830

Merged
dduportal merged 1 commit intomasterfrom
feat/war-pgp-signatures
Dec 29, 2025
Merged

feat(package) publish the WAR signature file#830
dduportal merged 1 commit intomasterfrom
feat/war-pgp-signatures

Conversation

@dduportal
Copy link
Contributor

@dduportal dduportal commented Dec 28, 2025
edited
Loading

Ref. jenkins-infra/helpdesk#4055

Requires jenkinsci/packaging#462 before being merged

This PR is related to jenkinsci/packaging#462: It changes the utils/release.bash script to add the download of the WAR's signature file (generated by Maven during the "release" process) next to the WAR file (same filename with an added suffix .asc).

It allows publishing the GPG signature of the WAR file along with the GPG key used to sign the WAR during the Maven release process.

Validations (run with jenkinsci/packaging@c8f0063):

  • Ran a weekly build with the "staging only" (+ no windows + line set to "weekly" and version set to "latest") . Result shows we have both the "asc" file and the public GPG key published (both can be used to verify the WAR downloaded file):
Capture d’écran 2025-12-29 à 11 23 56
  • Ran a LTS build with the "staging only" (+ no windows + line set to "stable" and version set to "2.528.3") Result shows we have both the "asc" file and the public GPG key published (both can be used to verify the WAR downloaded file):
Capture d’écran 2025-12-29 à 11 58 34

Note: I've tried to add a verification of the downloaded WAR initially but I had to solve the case of "current LTS uses an old GPG key" which is an edge case. So I've removed the verification from this PR and we'll add it back after 2.541.1

@dduportal dduportal changed the title Feat/war pgp signatures feat(package) publish the WAR signature file Dec 29, 2025
@dduportal dduportal mentioned this pull request Dec 29, 2025
Merged
5 tasks
@dduportal
feat(utils/package) verify WAR download and publish the signature
aada25f 
Signed-off-by: Damien Duportal <damien.duportal@gmail.com>
@dduportal dduportal force-pushed the feat/war-pgp-signatures branch from 30ce450 to 84be322 Compare December 29, 2025 10:55
@dduportal dduportal marked this pull request as ready for review December 29, 2025 19:54
@dduportal dduportal requested a review from a team as a code owner December 29, 2025 19:54
@dduportal dduportal force-pushed the feat/war-pgp-signatures branch from 84be322 to aada25f Compare December 29, 2025 19:54
@dduportal
Copy link
Contributor Author

dduportal commented Dec 29, 2025

Removed the debug commit 84be322 (which was testing jenkinsci/packaging#462): ready to review

@dduportal dduportal merged commit c5106c1 into master Dec 29, 2025
2 checks passed
@dduportal dduportal deleted the feat/war-pgp-signatures branch December 29, 2025 19:56
@dduportal dduportal mentioned this pull request Dec 29, 2025
Closed
@dduportal dduportal mentioned this pull request Jan 8, 2026
Merged
33 tasks
@lemeurherve lemeurherve added release-version:2.541.1 Indicate that this has been or will be used for this Jenkins Core LTS release. release-version:2.544 Indicate that this has been or will be used for this Jenkins Core Weekly release. labels Jan 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

release-version:2.541.1 Indicate that this has been or will be used for this Jenkins Core LTS release. release-version:2.544 Indicate that this has been or will be used for this Jenkins Core Weekly release.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dduportal @lemeurherve