I've modified the server infrastructure so that the PGP public key is
available at https://jenkins-ci.org/jenkins-ci.org.key. These keys are used
to sign native packages. In the next release I'll update the those package
documentaion to refer to this key location in HTTPS.

Aside from that, regardless of the packaging, the war file is signed with
my X509 certificate. That certificate is itself signed by CoMoDo, so you
can establish a known trust chain back up to the well-trusted root CAs.




2014/1/8 Abhijith Chandrashekar <abhijith.chandrashe...@gmail.com>

> Hello all,
>
> I work with a tech company where we're trying to establish a pristine
> build environment for all of our products. As part of this, we are looking
> to create a Jenkins CI server from scratch using the most secure methods
> possible. This would be on an underlying CentOS 6.2 machine. From reading
> the guide on installing Jenkins on CentOS/RedHat I see that the package and
> the key are both obtained over http as -
>
> wget -O /etc/yum.repos.d/jenkins.repo
> http://pkg.jenkins-ci.org/redhat/jenkins.repo
>
> and
>
> rpm --import http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
>
> This raises possibilities of a Man-in-the-middle attack compromising the
> integrity of the repo or the key or both. To avoid this, is there a way to
> obtain the package and the key securely? This could either be over HTTPS,
> SFTP or by exchanging PGP keys with the owner and then transporting it over
> email.
>
> If there's a better place to post this question, please inform.
>
> Thanks,
> Abhijith
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-users+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>



-- 
Kohsuke Kawaguchi

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to