Hi Jens, Have you tried to search in this Google group itself? There are some old threads: - https://groups.google.com/forum/#!searchin/jenkinsci-dev/sha1/jenkinsci-dev/IdTwt_DCZAs/bte6pagA9OYJ - https://groups.google.com/forum/#!searchin/jenkinsci-dev/sha1/jenkinsci-dev/ueaAOGrtVDI/ORJAYpBt7agJ
You can find other similar threads if you search for "sha1" or "integrity" for instance. Besides of that, there is also another Jenkins group phocused on security: https://groups.google.com/forum/#!forum/jenkinsci-advisories In case you've got some security concerns, I wonder whether you can use the rpm/debian/others installation which are based on gpg certificates: - https://wiki.jenkins-ci.org/display/JENKINS/Installing+Jenkins+on+Ubuntu - http://pkg.jenkins-ci.org/redhat/ - https://wiki.jenkins-ci.org/display/JENKINS/Use+Jenkins In addition to that, have you considered to compile/generate the war file from the source code? You can fork the jenkins repo (https://github.com/jenkinsci/jenkins) , checkout the tag "jenkins-1.XYZ" and 'mvn -Plight-test install' (https://wiki.jenkins-ci.org/display/JENKINS/Building+Jenkins) then you can upload those generated files to your inhouse artifactory/nexus/filesystem central repo and use the md5sum hash validation. Maybe someone else can provide further details about the https certificate. I hope it helps Cheers On Tuesday, 10 November 2015 20:15:38 UTC+1, Jens Wilke wrote: > > Hi all, > > I am just reviewing and upgrading our Jenkins CI setup. What I found very > irritating: > > 1. there seems no download instruction for the war > 2. there is no way to check the integrity of a downloaded war file > > What I found: > war files are at http://mirrors.jenkins-ci.org/war/. It is accessilbe by > https, but with no "official" certificate. > > md5 sha1 checksums can be found at > http://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/1.625.1 > Again, this site is available via https, but with no "official" > certificate. > > Did I miss something? Isn't there a way to download and check the > integrity of Jenkins? > > Cheers, > > Jens > > > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/33c33629-b7b0-45ff-802f-f3e7d7eede43%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
