Unable to install CAP plugins when plugin catalog is used

Article ID:5221978044443
2 minute readKnowledge base

Issue

After upgrading to 2.332.1.5 and using a plugin catalog (not the Configuration as Code (CasC) one) it is not posible to install CAP plugins in an air-gapped environment.

When trying to install some of the available CAP plugins the following execeptions can be seen:

Also then following log messages are present in your instance logs:

2022-03-29 12:16:45.724+0000 [id=61979]	INFO	hudson.PluginManager#install: Starting installation of a batch of 4 plugins plus their dependencies
2022-03-29 12:16:45.725+0000 [id=61979]	INFO	hudson.model.UpdateSite$Plugin#deploy: Adding dependent install of maven-plugin for plugin conditional-buildstep
2022-03-29 12:16:45.725+0000 [id=82096]	INFO	h.model.UpdateCenter$DownloadJob#run: Starting the installation of cloudbees-pipeline-policies on behalf of sperts
2022-03-29 12:16:45.725+0000 [id=61979]	INFO	hudson.model.UpdateSite$Plugin#deploy: Adding dependent install of javadoc for plugin maven-plugin
2022-03-29 12:16:45.726+0000 [id=61979]	INFO	hudson.model.UpdateSite$Plugin#deploy: Adding dependent install of run-condition for plugin conditional-buildstep
2022-03-29 12:16:45.726+0000 [id=82096]	INFO	h.m.UpdateCenter$UpdateCenterConfiguration#download: Downloading cloudbees-pipeline-policies
2022-03-29 12:16:45.732+0000 [id=82096]	INFO	hudson.model.UpdateCenter#verifyChecksums: Attempt to verify a downloaded file (cloudbees-pipeline-policies.jpi.tmp) using SHA-512 or SHA-256 failed since your configured update site does not provide either of those checksums. Falling back to SHA-1.
2022-03-29 12:16:45.733+0000 [id=82096]	INFO	h.model.UpdateCenter$DownloadJob#run: Starting the installation of javadoc on behalf of sperts
2022-03-29 12:16:45.733+0000 [id=82096]	INFO	h.m.UpdateCenter$UpdateCenterConfiguration#download: Downloading javadoc
2022-03-29 12:16:45.736+0000 [id=82096]	INFO	hudson.model.UpdateCenter#verifyChecksums: Attempt to verify a downloaded file (javadoc.jpi.tmp) using SHA-512 or SHA-256 failed since your configured update site does not provide either of those checksums. Falling back to SHA-1.
2022-03-29 12:16:45.736+0000 [id=82096]	SEVERE	h.model.UpdateCenter$DownloadJob#run: Failed to install javadoc
java.io.IOException: Downloaded file /var/jenkins_home/plugins/javadoc.jpi.tmp does not match expected SHA-1, expected '2cacmQkT9GAZtSplATykdJXjcpM=', actual '1R1r3SwZw8YOdMa+Ge7lJK58pVY='
	at hudson.model.UpdateCenter.throwVerificationFailure(UpdateCenter.java:2059)
	at hudson.model.UpdateCenter.verifyChecksums(UpdateCenter.java:2112)
	at hudson.model.UpdateCenter$InstallationJob.replace(UpdateCenter.java:2292)
	at hudson.model.UpdateCenter$UpdateCenterConfiguration.install(UpdateCenter.java:1358)
	at hudson.model.UpdateCenter$DownloadJob._run(UpdateCenter.java:1896)
	at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:2205)
	at hudson.model.UpdateCenter$DownloadJob.run(UpdateCenter.java:1867)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at hudson.remoting.AtmostOneThreadExecutor$Worker.run(AtmostOneThreadExecutor.java:121)
	at java.base/java.lang.Thread.run(Thread.java:829)

Explanation

At /WEB-INF/plugins/update-center.json the offline update center JSON file is defined. There for each plugin a sha1 hash is specified. The issue is that it is not encoded as expected by the runtime. At runtime, the plugin file sha1 is calculated and compared against the entry in the update-center.json. This comparison expects both values to be equal to consider the download (even if that it is using the file:// protocol) valid.

Resolution

The solution is to upgrade to 2.332.2.4 or later.

Workaround

The only available workaround is to disable the plugin catalog in the Controller and install the desired CAP plugins. Then it is possible to enable again the plugin catalog.