Skip to content

[JENKINS-75905] Include update site URL in signature verification in error messages #25980

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
MarkEWaite merged 7 commits into from
Dec 29, 2025
Merged

[JENKINS-75905] Include update site URL in signature verification in error messages #25980

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
fb54c7d
[JENKINS-75905] Include update site URL in signature verification err…
adhamahmad Dec 22, 2025
c17a8cf
[JENKINS-75905] Include update site URL in signature verification err…
adhamahmad Dec 22, 2025
965410a
Merge branch 'closes#16784' of https://github.com/adhamahmad/jenkins …
adhamahmad Dec 23, 2025
1ce2a8b
[JENKINS-75905] Include update site URL in signature verification err…
adhamahmad Dec 22, 2025
ea8a365
Merge branch 'closes#16784' of https://github.com/adhamahmad/jenkins …
adhamahmad Dec 25, 2025
cad8b33
Use the non-deprecated getJsonSignatureValidator method and add @NonN…
adhamahmad Dec 25, 2025
2784646
Test both branches of message formatter
MarkEWaite Dec 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 23 additions & 1 deletion core/src/main/java/hudson/model/UpdateSite.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -294,7 +294,29 @@
*/
@Restricted(NoExternalUse.class)
public final FormValidation verifySignatureInternal(JSONObject o) throws IOException {
return getJsonSignatureValidator().verifySignature(o);
FormValidation result = getJsonSignatureValidator().verifySignature(o);

if (result.kind == FormValidation.Kind.ERROR) {
String message = result.getMessage();
if (message != null) {

Check warning on line 301 in core/src/main/java/hudson/model/UpdateSite.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line 

Line 301 is only partially covered, one branch is missing
// String siteUrl = getUrl();
String updatedMessage;

if (message.contains("update site") && message.contains(" Path") && !message.contains(url)) {

Check warning on line 305 in core/src/main/java/hudson/model/UpdateSite.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line 

Line 305 is only partially covered, 2 branches are missing
// Ensure the update site URL is included in error messages by replacing the site identifier in messages of the 'update site … Path' pattern or appending it otherwise.
updatedMessage = message.replaceAll(
"(update site\\s+).*?(\\s+Path)",
"$1" + url + "$2"
);
} else {
// Do not alter message structure; only add URL context
updatedMessage = message + " (URL: " + url + ")";
}
return FormValidation.error(updatedMessage);
}
}

return result;
}

/**
Expand Down
24 changes: 23 additions & 1 deletion core/src/main/java/jenkins/util/JSONSignatureValidator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,9 @@
if (warning != null) return warning;
return FormValidation.ok();
} catch (GeneralSecurityException e) {
return FormValidation.error(e, "Signature verification failed in " + name);
// Return a user-friendly error message without the full stack trace
String rootCauseMessage = getRootCauseMessage(e);
return FormValidation.error("Signature verification failed in " + name + ": " + rootCauseMessage);
}
}

Expand Down Expand Up @@ -321,5 +323,25 @@
return anchors;
}

/**
* Extracts a user-friendly message from an exception chain.
*
* @param e the exception to extract the message from
* @return a concise, readable error message
*/
private String getRootCauseMessage(Throwable e) {
Throwable cause = e;
while (cause.getCause() != null && cause.getCause() != cause) {

Check warning on line 334 in core/src/main/java/jenkins/util/JSONSignatureValidator.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line 

Line 334 is only partially covered, one branch is missing
cause = cause.getCause();
}

String message = cause.getMessage();
if (message != null && !message.isEmpty()) {

Check warning on line 339 in core/src/main/java/jenkins/util/JSONSignatureValidator.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line 

Line 339 is only partially covered, 2 branches are missing
return message;
}

return cause.getClass().getSimpleName();

Check warning on line 343 in core/src/main/java/jenkins/util/JSONSignatureValidator.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Not covered line 

Line 343 is not covered by tests
}

private static final Logger LOGGER = Logger.getLogger(JSONSignatureValidator.class.getName());
}
20 changes: 20 additions & 0 deletions test/src/test/java/hudson/model/UpdateSiteTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -299,4 +299,24 @@ private PluginWrapper buildPluginWrapper(String name, String wikiUrl) {
new ArrayList<>()
);
}

@Test
void signatureVerificationFailureIncludesUpdateSiteUrl() throws Exception {
// Create an UpdateSite with an invalid/malformed signature that will trigger an error
URL url = new URL(baseUrl, "/plugins/invalid-signature-update-center.json");
UpdateSite site = new UpdateSite(UpdateCenter.ID_DEFAULT, url.toString());
overrideUpdateSite(site);

FormValidation validation = site.updateDirectlyNow(true);

assertEquals(FormValidation.Kind.ERROR, validation.kind);

String message = validation.getMessage();
assertNotNull(message);
assertTrue(
message.contains(url.toString()),
"Signature verification error should include update site URL"
);
}

}
17 changes: 17 additions & 0 deletions test/src/test/resources/plugins/invalid-signature-update-center.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{
"updateCenterVersion": "1",
"connectionCheckUrl": "http://www.google.com/",
"core": {
"name": "core",
"version": "2.0",
"url": "http://updates.jenkins-ci.org/download/war/2.0/jenkins.war"
},
"plugins": {},
"signature": {
"certificates": [
"InvalidBase64CertificateDataThatWillFailValidation=="
],
"correct_digest": "invalid_digest_value",
"correct_signature": "invalid_signature_value"
}
}
Loading