Hi Jens, Have you tried to search in this Google group itself? There are some old threads: - https://groups.google.com/forum/#!searchin/jenkinsci-dev/sha1/jenkinsci-dev/IdTwt_DCZAs/bte6pagA9OYJ - https://groups.google.com/forum/#!searchin/jenkinsci-dev/sha1/jenkinsci-dev/ueaAOGrtVDI/ORJAYpBt7agJ
You can find other similar threads if you search for "sha1" or "integrity" for instance. Besides of that, there is also another Jenkins group phocused on security: https://groups.google.com/forum/#!forum/jenkinsci-advisories In case you've got some security concerns, I wonder whether you can use the rpm/debian/others installation which are based on gpg certificates: - https://wiki.jenkins-ci.org/display/JENKINS/Installing+Jenkins+on+Ubuntu - http://pkg.jenkins-ci.org/redhat/ - https://wiki.jenkins-ci.org/display/JENKINS/Use+Jenkins In addition to that, have you considered to compile/generate the war file from the source code? You can fork the jenkins repo (https://github.com/jenkinsci/jenkins) , checkout the tag "jenkins-1.XYZ" and 'mvn -Plight-test install' (https://wiki.jenkins-ci.org/display/JENKINS/Building+Jenkins) then you can upload those generated files to your inhouse artifactory/nexus/filesystem central repo and use the md5sum hash validation. Maybe someone else can provide further details about the https certificate. I hope it helps Cheers On Tuesday, 10 November 2015 20:15:38 UTC+1, Jens Wilke wrote: > > Hi all, > > I am just reviewing and upgrading our Jenkins CI setup. What I found very > irritating: > > 1. there seems no download instruction for the war > 2. there is no way to check the integrity of a downloaded war file > > What I found: > war files are at http://mirrors.jenkins-ci.org/war/. It is accessilbe by > https, but with no "official" certificate. > > md5 sha1 checksums can be found at > http://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/1.625.1 > Again, this site is available via https, but with no "official" > certificate. > > Did I miss something? Isn't there a way to download and check the > integrity of Jenkins? > > Cheers, > > Jens > > > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/33c33629-b7b0-45ff-802f-f3e7d7eede43%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
