Re: Securely obtain the Jenkins package and public key

2014-01-12 Thread abhijith chandrashekar 
 Of course, you'd need a secure way to make sure it's actually his
signature, but that should be easier than changing the entire distribution
chain.

That's exactly the problem. Any ideas on how I can do that?

Thanks,
Abhijith



On Sat, Jan 11, 2014 at 1:12 AM, Daniel Beck m...@beckweb.net wrote:

 On 08.01.2014, at 23:08, Abhijith Chandrashekar 
 abhijith.chandrashe...@gmail.com wrote:

  This raises possibilities of a Man-in-the-middle attack compromising the
 integrity of the repo or the key or both.

 The war packages themselves are signed by Kohsuke. You can use the tool
 'jarsigner' to verify.

 Of course, you'd need a secure way to make sure it's actually his
 signature, but that should be easier than changing the entire distribution
 chain.

 --
 You received this message because you are subscribed to a topic in the
 Google Groups Jenkins Users group.
 To unsubscribe from this topic, visit
 https://groups.google.com/d/topic/jenkinsci-users/3O8vpxrWZH8/unsubscribe.
 To unsubscribe from this group and all its topics, send an email to
 jenkinsci-users+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.


-- 
You received this message because you are subscribed to the Google Groups 
Jenkins Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Securely obtain the Jenkins package and public key

2014-01-08 Thread Abhijith Chandrashekar 
Hello all,

I work with a tech company where we're trying to establish a pristine build 
environment for all of our products. As part of this, we are looking to 
create a Jenkins CI server from scratch using the most secure methods 
possible. This would be on an underlying CentOS 6.2 machine. From reading 
the guide on installing Jenkins on CentOS/RedHat I see that the package and 
the key are both obtained over http as - 

wget -O /etc/yum.repos.d/jenkins.repo 
http://pkg.jenkins-ci.org/redhat/jenkins.repo

and 

rpm --import http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key

This raises possibilities of a Man-in-the-middle attack compromising the 
integrity of the repo or the key or both. To avoid this, is there a way to 
obtain the package and the key securely? This could either be over HTTPS, 
SFTP or by exchanging PGP keys with the owner and then transporting it over 
email.

If there's a better place to post this question, please inform.

Thanks,
Abhijith

-- 
You received this message because you are subscribed to the Google Groups 
Jenkins Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.