This is an automated email from the git hooks/post-receive script. x2go pushed a change to branch master in repository buildscripts. from ad427f8 bin: add new slave-start-prepare.sh script, used to update build scripts, the jenkins jar file and start the latter. new f819532 bin/slave-start-prepare.sh: newer OpenSSL versions seem to also output the header and footer, adjust comment accordingly. new 6ab3517 bin/slave-start-prepare.sh: update the pubkey hash for japsand since I messed up the first time around and change the hostname to jenkins.x2go.org. new 0747795 bin/slave-start-prepare.sh: switch from wget to cURL. The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference. Summary of changes: bin/slave-start-prepare.sh | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) -- Alioth's /srv/git/code.x2go.org/buildscripts.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/buildscripts.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository buildscripts. commit f8195329e0829dc6da7584055f85db900ef3528d Author: Mihai Moldovan <ionic@ionic.de> Date: Sat Jun 10 23:50:15 2017 +0200 bin/slave-start-prepare.sh: newer OpenSSL versions seem to also output the header and footer, adjust comment accordingly. --- bin/slave-start-prepare.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/slave-start-prepare.sh b/bin/slave-start-prepare.sh index c2c7f22..80d7d20 100755 --- a/bin/slave-start-prepare.sh +++ b/bin/slave-start-prepare.sh @@ -6,8 +6,8 @@ typeset prefix="$(cut -d"-" -f1 <<< "$(basename "${0}")")" # Generate this stuff via: # - openssl s_client -showcerts -servername hostname -connect host:port -# - copy the first PEM-encoded certificate to ${cert} -# - add the "-----BEGIN CERTIFICATE-----" header and "-----END CERTIFICATE-----" footer to ${cert} +# - copy the first PEM-encoded certificate to ${cert} including headers (if printed) +# - optionally: add the "-----BEGIN CERTIFICATE-----" header and "-----END CERTIFICATE-----" footer to ${cert} # - openssl x509 -noout -pubkey < "${cert}" | openssl asn1parse -noout -inform pem -out /dev/stdout | openssl dgst -sha256 -binary | openssl base64 typeset ssl_hash="" typeset host="" -- Alioth's /srv/git/code.x2go.org/buildscripts.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/buildscripts.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository buildscripts. commit 6ab3517224074bca385891559df8bda48ef939cf Author: Mihai Moldovan <ionic@ionic.de> Date: Sat Jun 10 23:50:52 2017 +0200 bin/slave-start-prepare.sh: update the pubkey hash for japsand since I messed up the first time around and change the hostname to jenkins.x2go.org. --- bin/slave-start-prepare.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/slave-start-prepare.sh b/bin/slave-start-prepare.sh index 80d7d20..b9add7d 100755 --- a/bin/slave-start-prepare.sh +++ b/bin/slave-start-prepare.sh @@ -14,8 +14,8 @@ typeset host="" if [ "x$(basename "${0}")" = "x${prefix}-slave-start-prepare.sh" ]; then case "${prefix}" in (x2go) - host="japsand.x2go.org:8443" - ssl_hash="sha256//47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=" + host="jenkins.x2go.org:8443" + ssl_hash="sha256//32pvBe/GWNaDCzq9VydrWOG9osK7XDYqv4M4lYmKQMA=" ;; (*) echo "Unknown prefix, aborting." >&2 -- Alioth's /srv/git/code.x2go.org/buildscripts.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/buildscripts.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository buildscripts. commit 074779564c4b95a6abd4ae96d3fc138f4e448490 Author: Mihai Moldovan <ionic@ionic.de> Date: Sat Jun 10 23:51:28 2017 +0200 bin/slave-start-prepare.sh: switch from wget to cURL. It doesn't seem to be (easily) possible to disable certain certificate checks, but still enforce the pinned pubkey hash check with wget. This means that we either have to - provide the pubkey hash - provide the CA certificate (which is pretty darn difficult when using self-signed certificates) - make sure that the parameters match what is recorded in the certificate (like the hostname) or - disable all checks, including the pubkey hash check. ... or find an alternative, like cURL, which allows us to bypass these checks but still employs the pubkey hash check. So switch to cURL. --- bin/slave-start-prepare.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/bin/slave-start-prepare.sh b/bin/slave-start-prepare.sh index b9add7d..4829069 100755 --- a/bin/slave-start-prepare.sh +++ b/bin/slave-start-prepare.sh @@ -31,6 +31,12 @@ fi rm -f -- "slave.jar" -wget -NS --pinnedpubkey="${ssl_hash}" "https://${host}/jnlpJars/slave.jar" +# Even though we pin the certificate's public key, the --insecure option +# is needed since our certificate (currently) is self-signed, which leads to +# curl rejecting the certificate. +# This is okay, since curl still checks for the pubkey hash and aborts the +# connection if the server's pubkey hash doesn't match the pinned one, even +# when calling it with the --insecure parameter. +curl -R --pinnedpubkey "${ssl_hash}" --insecure "https://${host}/jnlpJars/slave.jar" java -jar "slave.jar" -- Alioth's /srv/git/code.x2go.org/buildscripts.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/buildscripts.git
-
git-admin@x2go.org