Hi, I'd like to underline this issue. With the increasing use of Jenkins, it might actually become an interesting target for attacks, as in some environments the jenkins installation is tighly integrated into the system infrastructure, e.g. generating binary packages for linux distributions etc.
Cheers, Johannes On 01/08/2014 11:08 PM, Abhijith Chandrashekar wrote: > I work with a tech company where we're trying to establish a pristine build > environment for all of our products. As part of this, we are looking to > create a Jenkins CI server from scratch using the most secure methods > possible. This would be on an underlying CentOS 6.2 machine. From reading > the guide on installing Jenkins on CentOS/RedHat I see that the package and > the key are both obtained over http as - > > wget -O /etc/yum.repos.d/jenkins.repo > http://pkg.jenkins-ci.org/redhat/jenkins.repo > > and > > rpm --import http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key > > This raises possibilities of a Man-in-the-middle attack compromising the > integrity of the repo or the key or both. To avoid this, is there a way to > obtain the package and the key securely? This could either be over HTTPS, > SFTP or by exchanging PGP keys with the owner and then transporting it over > email. > > If there's a better place to post this question, please inform. > > Thanks, > Abhijith >
signature.asc
Description: OpenPGP digital signature
