#6991 Invalid signature from jenkins-continuous-infra.apps.ci.centos.org
Closed: Fixed 5 years ago Opened 5 years ago by pingou.

  • Describe what you need us to do:
    We're getting errors about invalid signature as:
message [{u'username': None, u'i': 1, u'timestamp': 1527261967, u'msg_id':
+u'2018-4a0becc1-9ac7-41a4-8903-0a7d419a3aa9', u'crypto': u'x509', u'topic':
+u'org.centos.prod.ci.pipeline.allpackages-build.image.complete', u'msg': {u'CI_TYPE': u'custom', u'build_id': u'49',
+u'original_spec_nvr': u'standard-test-roles-2.13-1.fc29', u'nvr': u'standard-test-roles-2.13-1.fc29', u'ref':
+u'x86_64', u'repo': u'standard-test-roles', u'namespace': u'null', u'message-content': u'', u'build_url':
+u'https://jenkins-continuous-infra.apps.ci.centos.org/blue/organizations/jenkins/fedora-rawhide-build-pipeline/detail
+/fedora-rawhide-build-pipeline/49/pipeline/', u'rev': u'kojitask-27188720', u'CI_NAME':
+u'fedora-rawhide-build-pipeline', u'username': u'null', u'topic':
+u'org.centos.prod.ci.pipeline.allpackages-build.image.complete', u'status': u'SUCCESS', u'branch': u'master',
+u'test_guidance': u"''", u'type': u'qcow2'}}] has an invalid signature:
  • When do you need this? (YYYY/MM/DD)
    ASAP

  • When is this no longer needed or useful? (YYYY/MM/DD)
    If these messages stop being sent

  • If we cannot complete your request, what is the impact?
    More emails


What host(s) send this?

Is there any way to tell...

Metadata Update from @kevin:
- Issue priority set to: Waiting on Reporter (was: Needs Review)

5 years ago

This is from the Jenkins pod in the continuous-infra project in CentOS CI OpenShift instance. Not sure if that answers what host. I will let Brian speak to more specifics

So, I just checked, and:

  1. Some messages do get correctly signed, maybe a cluster of machines with one sending wrong data?
  2. The signature does look like an x509 PKCS15 signature, but doesn't match the provided certificate/data. Are you 100% sure that the signer uses the correct private key belonging to the sent certificate? Are you sure that it sends it directly after signing? (what software is this?)

@jbieren it appears that we changed the topic for the allpackages pipeline?

fedmsg_meta_fedora_infrastructure has entries for org.centos.prod.ci.pipeline.allpackages, but not for org.centos.prod.ci.pipeline.allpackages-build

@bstinson Yeah, I didn't know it would make a difference if it was under the org.centos.prod.ci.pipeline prefix. Miroslav's team (the ones who consume them) ask them to be changed, so now there is org.centos.prod.ci.pipeline.allpackages-build and org.centos.prod.ci.pipeline.allpackages-pr

Any changes/additions/subtractions to the topics we publish need to be merged into fedmsg_meta_fedora_infrastructure first. Can we put that on a checklist somewhere?

Yeah, I will put it in a readme or something somewhere.
@thrix so I am not the only one aware of this

@jbieren thx, in regards to the topic, we will discuss this more tomorrow or on Thursday. I spoke with @pingou about it yesterday and topic changes are something we do not want to do a lot, thus I will propose additional changes, so we use the same format on both sides (upstream, downstream) so we are covered for the future plans around this.

So whats the status here? Just need to get them added to fedmsg-meta-fedora-infrastructure? Or is there still a signing issue here somewhere?

I see 0 of these messages in our logs now, so I am going to close this.

Please feel free to re-open if you see it again or there's further actions to take here.

:christmas_tree:

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata