[JENKINS-75905] Include update site URL in signature verification in error messages (#25980)

* [JENKINS-75905] Include update site URL in signature verification error messages

* [JENKINS-75905] Include update site URL in signature verification error messages

* [JENKINS-75905] Include update site URL in signature verification error messages

* Use the non-deprecated getJsonSignatureValidator method and add @nonnull annotation

Use the non-deprecated getJsonSignatureValidator Add @nonnull annotation to the Throwable parameter in JSONSignatureValidator#getRootCauseMessage.

* Test both branches of message formatter

---------

Co-authored-by: Mark Waite <[email protected]>

Author: adhamahmad

core/src/main/java/hudson/model/UpdateSite.java

@@ -294,7 +294,29 @@ protected UpdateCenter.InstallationJob createInstallationJob(Plugin plugin, Upda
      */
     @Restricted(NoExternalUse.class)
     public final FormValidation verifySignatureInternal(JSONObject o) throws IOException {
-        return getJsonSignatureValidator().verifySignature(o);
+        FormValidation result = getJsonSignatureValidator(null).verifySignature(o);
+
+        if (result.kind == FormValidation.Kind.ERROR) {
+            String message = result.getMessage();
+            if (message != null) {
+//                String siteUrl = getUrl();
+                String updatedMessage;
+
+                if (message.contains("update site") && message.contains(" Path") && !message.contains(url)) {
+                    // Ensure the update site URL is included in error messages by replacing the site identifier in messages of the 'update site … Path' pattern or appending it otherwise.
+                    updatedMessage = message.replaceAll(
+                            "(update site\\s+).*?(\\s+Path)",
+                            "$1" + url + "$2"
+                    );
+                } else {
+                    // Do not alter message structure; only add URL context
+                    updatedMessage = message + " (URL: " + url + ")";
+                }
+                return FormValidation.error(updatedMessage);
+            }
+        }
+
+        return result;
     }
 
     /**

core/src/main/java/jenkins/util/JSONSignatureValidator.java

@@ -1,5 +1,6 @@
 package jenkins.util;
 
+import edu.umd.cs.findbugs.annotations.NonNull;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Util;
 import hudson.util.FormValidation;
@@ -138,7 +139,9 @@ public FormValidation verifySignature(JSONObject o) throws IOException {
             if (warning != null)  return warning;
             return FormValidation.ok();
         } catch (GeneralSecurityException e) {
-            return FormValidation.error(e, "Signature verification failed in " + name);
+            // Return a user-friendly error message without the full stack trace
+            String rootCauseMessage = getRootCauseMessage(e);
+            return FormValidation.error("Signature verification failed in " + name + ": " + rootCauseMessage);
         }
     }
 
@@ -321,5 +324,25 @@ protected Set<TrustAnchor> loadTrustAnchors(CertificateFactory cf) throws IOExce
         return anchors;
     }
 
+    /**
+     * Extracts a user-friendly message from an exception chain.
+     *
+     * @param e the exception to extract the message from
+     * @return a concise, readable error message
+     */
+    private String getRootCauseMessage(@NonNull Throwable e) {
+        Throwable cause = e;
+        while (cause.getCause() != null && cause.getCause() != cause) {
+            cause = cause.getCause();
+        }
+
+        String message = cause.getMessage();
+        if (message != null && !message.isEmpty()) {
+            return message;
+        }
+
+        return cause.getClass().getSimpleName();
+    }
+
     private static final Logger LOGGER = Logger.getLogger(JSONSignatureValidator.class.getName());
 }

test/src/test/java/hudson/model/UpdateSiteTest.java

@@ -24,6 +24,8 @@
 
 package hudson.model;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
@@ -299,4 +301,45 @@ private PluginWrapper buildPluginWrapper(String name, String wikiUrl) {
                 new ArrayList<>()
         );
     }
+
+    @Test
+    void signatureVerificationFailureIncludesUpdateSiteUrl() throws Exception {
+        // Create an UpdateSite with an invalid/malformed signature that will trigger an error
+        URL url = new URL(baseUrl, "/plugins/invalid-signature-update-center.json");
+        UpdateSite site = new UpdateSite(UpdateCenter.ID_DEFAULT, url.toString());
+        overrideUpdateSite(site);
+
+        FormValidation validation = site.updateDirectlyNow(true);
+
+        assertEquals(FormValidation.Kind.ERROR, validation.kind);
+
+        String message = validation.getMessage();
+        assertNotNull(message);
+        assertTrue(
+                message.contains(url.toString()),
+                "Signature verification error should include update site URL"
+        );
+        assertThat(message, containsString("Empty input"));
+    }
+
+    @Test
+    void signatureVerificationFailureIncludesUpdateSiteUrlWithoutPath() throws Exception {
+        // Create an UpdateSite with an invalid/malformed signature that will trigger an error that involves Path
+        URL url = new URL(baseUrl, "/plugins/invalid-signature-update-center-core-cm.json");
+        UpdateSite site = new UpdateSite(UpdateCenter.ID_DEFAULT, url.toString());
+        overrideUpdateSite(site);
+
+        FormValidation validation = site.updateDirectlyNow(true);
+
+        assertEquals(FormValidation.Kind.ERROR, validation.kind);
+
+        String message = validation.getMessage();
+        assertNotNull(message);
+        assertTrue(
+                message.contains(url.toString()),
+                "Signature verification error should include update site URL"
+        );
+        assertThat(message, containsString("Path does not chain with any of the trust anchors"));
+    }
+
 }

test/src/test/resources/plugins/invalid-signature-update-center-core-cm.json

@@ -0,0 +1,20 @@
+{
+  "updateCenterVersion": 1,
+  "core": {
+    "name": "core",
+    "version": "2.541",
+    "url": "http://updates.jenkins.io/download/war/2.541/jenkins.war"
+  },
+  "plugins": {},
+  "signature": {
+    "correct_digest": "scNImoAz/AONJTUC+jwpX1ik1Mg=",
+    "correct_digest512": "0442f8003c5b707bdd7f8f06c096d51c3da1ad5715946ad226a8e4c8ce85a71a4db1cf4f7bf9565220a7339a2103780ae75e85a08c18e9642165c9f296660e56",
+    "certificates": [
+      "MIIFhDCCA2wCCQDGSFE7A358zjANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkRFMRgwFgYDVQQKDA9DbG91ZEJlZXMsIEluYy4xFjAUBgNVBAMMDXVwZGF0ZS1jZW50ZXIxNTAzBgkqhkiG9w0BCQEWJm9wZXJhdGlvbnMrdXBkYXRlLWNlbnRlckBjbG91ZGJlZXMuY29tMB4XDTIwMDUyOTAxMjgxNFoXDTMwMDUyNzAxMjgxNFowgYMxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJERTEYMBYGA1UECgwPQ2xvdWRCZWVzLCBJbmMuMRYwFAYDVQQDDA11cGRhdGUtY2VudGVyMTUwMwYJKoZIhvcNAQkBFiZvcGVyYXRpb25zK3VwZGF0ZS1jZW50ZXJAY2xvdWRiZWVzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJyeG1X+jhC6NdNTyYRP0iPBF8j1gt9BGsGfTktdwpHpHSfHWwn2S3SAkAGVpck6kOWudejHvKmaAHMEiON0T4RHLnOc0BRd5W/BOzyVgB0eytkjSANeB9UIRNuCZoUM8NdNCyAcr9fmsns6jVRzCwnuyxeXFvGYgikzoO/ZC0/vsyAHp/2AzvgTE/7tFuJYHuvQ8ACfSPRgSQ3rc0hpSnSVV1UqTwrE/1AIhEjisNRXc6eMxlStFIsVuRkdaJRr7pi6W0mFmQr2gFtDHJkqX2nwHqNPzuJ7AVF2VXlh4j7GecDxwVdtVKdQEuCxn7IbX8UbWLcA/IwBnR8ZaHUr1KER+LjTIjwXlQnv3wAoz3YqCvgvKlx1HVTtf/PVlJG0STiPHZtwSqJpgXjQ+XLXCW1gsevDR2fyyddxC5p21AvQ480SGY1cRuesTEpoZjTYW4jNJsb8JKhyyAM50GHYWIgCyCavgHH+da+J7kgSqVmBIgum9Ws4Mh6AQHTUcxozff3vIUnRU8B5Lg20q4UZqDrFHKxQMyvEFXBmGIsqw6EtPTKzPWIq/noq2YT4mrpi1iFDPd8phHuy7IIDqmHPP0GvcL9f/QUDysmVgOuOQShtFhA5ZX2KHJ4sjtPDzYq/EjStI+tytR10aV12a/iL4eBfNlhP0UiPVhw2hLg3xMLBAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAHGSLYRRZ032pmbwHY8yg9+z7P2TljaYA4dI5/WUmev0oNyEwEwcbMhhLq1yIG9bDjo65WFYyNijX7eJHGSTR2clRLRZ67N2z4hOkymgLbpXgCoyAr7Pgkl2sxz3lW/VPTN7ZFl37ZkbsUuSFy5BnNXkISh5bDATX9JCJCPYzdVKBbjd2kyMeiOz7Gf/SYOEBvp/vgz3gqv5ZLQIEKFmZT2imiELmfgO0uuVlCgJWU9PDGEb2MW4Td0v0hzL5aycYQSl0bAbiTSqofSIOUdniELYJEtn0G/tdxY5ZnlgEP8jdSNlsnESArjyxGJanwxzQdMps6MaTxew+tYPzjMACEQaLeNUHmLtlMRFaqWPcOj85XZ3qzBwwOESFq3NQu8NZcOJrNr84AHFkPnE90gSNaZlA2XJReioGViBmo421LypKobjbny0z2L2jvQ7lI23Hdt4DA34cB6dlPg/6Vi9PyhokeNTL5VZCGpU8WzhMoxq/4pNLawq2suE92OeYuWDz2v65OJWJe1EEXQhX5H8G1001pv2OD+p5xew/QfDxshCsi3hPVRSB1qVquMgmhOBCnq1j/ocGOubLKQ0WpeSUYDynVrfpvQ1rCW+Sbz0fEduMPrD8c+2+v/U6NFDxqZCtooRbtNQeKuyJYtKoB6VuUAWHOqi95lCirlplY2Mjljn"
+    ],
+    "correct_signature": "ZDSVZkFRPiIbwDkpwfj0B3B/PvGc5mNpNvR6tcxCn2LKDWKeYXu/MJzsna+3ElohT+QXzzvKvw5oiAkhvTQ0l9o/jOhBzMiS8dYl6uVebdb70DVgoLrNe02DqxXoMTkXLOnZ/tpGRrWxPhi2dMy6bUt5aBl6gGbiog3OSlA+TafO/KH4yxK5/0cv8kfUW3c6HopY5rRq4z6RUXTPaljO1iVE91w3QYrDahhHBBC3UPetfslEWSliTgckUFojfdX/67hR1921lgL2ITxGtOS4j+dO9ydUVAaY6McAU1kJVrljY9IwsLxMaENrAL7otXG2xKBBCskTNcrizODuyzIg7LHOOVX6/EIzTN+o9RZG4b5zxwQZq5NS4yldbPpXPZuXnezCWr8qndwK3pqbiwmvLiBcsFCrnz7e2ixiAs7c6ZY6srb5WScVywZeLHwhpISEBPZe4ejvWQRHaDanca15IKeqARJKL8H/Jti1aUHqrLkH92s8FWaEL25TrMXb5u2r15qpL6OCMP+5O2jEnVl0ajkkNb/BBqUPuPXsg5vo8tkuk7gylNrK0LSM/t49gdYGBE/Cp2GgvGwfhasM27Os+J1TnIs0Bqsl125CwWxa7aXql39JQ/t12ekAUZvgziTGY1LHO4V7YMWTdiBdr57LKudFpFJZGXsPMkupi8mtlCU=",
+    "correct_signature512": "0403e57342c6610922a4ca1c647b075923baa9d38ba50a9b5eb3fd2cd4154febf60434d3d9dc2e15db536128191f69a0bafe119cba7b7d887b8b0d38ebac0855da7b6f958afe06a48362cee018159628852fa593e58e56aa8cf94c978f344e906db8559b69d72971b918322e7108a23fb124022b2f442f73f12e5a34af0385295954f7347da4ff0faf33db8c2dc1c1684551a0018c30fd2d39117717b092c42e20c6d78506d89d942d30c66295c5e04cfd655259e4a4a263a85a7b3a89377ae067279989a164ab46ae34edbed7f722f3c4f2bbd9d59412559eeaed03ef5e743602c54d0222d010ce0c010576a682b9979654e976aa418deb0de5069139031e04a61d26904e70bdca2168dc434f5955c6f39f6c6fe45b6014702b5afedfa2f89763f2e43fbb82d47858a1fd0bd04bea05a4f23d207d28c3246a99c2b2ac84a4fa16da292148074afd358728a2844ef985bf9a1479d6cf1bb1d7acc48c9731e2a9906f8beac110d91c851736bfd12508ae08c669d89a74a347a764b1f4be5fe01829ab0f80e6da5e2abafeb045a50b066ec3d6a6a95254fdc57e898eaf91b48d8585ef74b9ab1feecea2583c37be77d7c295c5918d492e01515b76877508d8af3bedddf1f2c56453ffa88505df9b2d8865e5a9970af0875cbfa596afe10326befbea4970cb2160b59cbff683b351d0a3b872039934cfff668dfe92c3f4d4abd262",
+    "digest": "216DEgEmoe6+B+96+1RFOIKCqmY=",
+    "signature": "X4RsFd2sxBMy2BaUeW64hvzP+VUg/nS0KSoKnCo26nt5G5qXvJ9TVb9ifMuLdFnk2kPMGOh/NZ5rfPFdVhLPRkcpg9saAXYcMYj4Nfg6gzlgBjsGzcmaQ6ky2q2qTIEXGZcjKTql99uap9hMXKaXDdgcfVE22mV92dvASazz1KX3fM37sticmC6eJF+Fj1OFx2BPjzPaNKZyXuwqMe7X3SG70fY0bbcc6TfOXSHWOI3WS0T7N13Br0cD/kx+r8sKDv73kkx/anI0VxxaGXcttZ9M9q/ubqRDju6dLubXP+5rTzQmphpwwUPz4t4mv0Acp8/E35Rp5SELn45cUJTyb2anxPOVB84gKBaeN9G+fitEmQkEt2jLnidcKTbNfgPUXWAkUnCuPbl7W7zeRQ4dnEQoCfkswS3Q5qoE8R0d76G//R8p6oeQZL9akV4NHV9E22iu0l+eA8GTrX50TEApF1+iil/Y4CeHWyALBn/FYARig2L3W040O9GOPoBGpZ5qTFxA55es4h69ij84nt+uANJzypzRFV7DmhL97UKm4XV7ADB+UQ90pXvAoih510O0p1/67xdZcKx5URhmj53xOAn8WbvATzeu8/MqNnglmTcX+VKInVWjai4gtOg2UmaijUCt0CuCcLNyWpClk51p0Kfr7gYb4UKJuWSIfVzHaPY="
+  }
+}

test/src/test/resources/plugins/invalid-signature-update-center.json

@@ -0,0 +1,16 @@
+{
+  "updateCenterVersion": "1",
+  "core": {
+    "name": "core",
+    "version": "2.541",
+    "url": "http://updates.jenkins.io/download/war/2.541/jenkins.war"
+  },
+  "plugins": {},
+  "signature": {
+    "certificates": [
+      "InvalidBase64CertificateDataThatWillFailValidation=="
+    ],
+    "correct_digest": "invalid_digest_value",
+    "correct_signature": "invalid_signature_value"
+  }
+}