CloudBees supports running CloudBees CI on traditional platforms using the WAR package.
If you are not using an installation package and want to manually download the CloudBees CI WAR file (to run inside Apache Tomcat or a standalone), you should verify the authenticity of the WAR files. It can help to ensure that you are not the victim of a "man-in-the-middle" attack or another type of signature tampering.
You should verify the signature files before you run the WAR file package.
The signature files of the WAR file distributables are located at the download site with the respective WAR files. Refer to CloudBees Software Delivery Automation.
For versions 2.426.2.x
and later
The CloudBees public GPG keys is as follows:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFaU9goBCAC/V/svxekI7Y/5am9Q6BpVcrG0IWxyhux3BejYHgCWKh4tt08M 7VvXncejezeOVZPJSHCVgRKwJOst2hKw+lJwhiaX847LRAeZwG6YbQ5Gd5OBEefN 3FMw4Ym6bzRrkQ213lJmmUOvFMDxs3nu1tScbJ6yyPe6FQyVlw30Di/rTTp5EzK6 5vmCG80lbWbUdyBTvoKkXAgHIjUYU4dV2pHvQL6a+CUbQsaC/UsTcGaPKNTQ3NsJ XPJoK0GmENvpP1VYWIo6SzAMay9ZP9qM7ksr6RgqA+LvznF0J8gqOPpipoqwIB1a 5xVxZfsBGHYq45F5dLboF69SeJ+ra8mQVHyZABEBAAG0M0Nsb3VkQmVlcywgSW5j LiAoQ29kZSBzaWduaW5nKSA8aW5mb0BjbG91ZGJlZXMuY29tPokBTwQTAQgAOQIb AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQR89lZlISP4NqUyOrE44vXzn/kL 2gUCVpT2CwAKCRA44vXzn/kL2q4kB/9p8t3U4JgrAWBzxHalckxm8IbTH9rKynhP dLaPmtdpx69GUj5/gIVVL/SgTEQNpkJ5gY79BSI3Vwr1ylyt1B6lgKy6uKaIeY8I 5qJqe25fyDcP/MDbEC0UvvGziAYDVdwTxp3y/kIW6lk8F3Wgl0p9bYY56vmzSjZV pRyimGO7Ud5J/tgp60g/OriuoMT9+8p+eRCkxMdmxaZ2SM7g/ML4U0d/K1of71le CFIZvEqtGLkguSfHztMBGeV42PpxZR5Z1lM/wWP1G4GqjZtkrrEpyW6dtrtJjtf4 DIVchJsBIDnl67CUjJjSZ/+2JInYmevxd2fuThbgqmlKfayup1mSuQENBFaU9goB CACsZItiervkSNxh59C+K9o1rTQWEW4E3wqS7BFh5sOElcDqc53nfSHG9VqRh53P kxZpGzS2SoROG2rEQdzwO3/ddlM2ARZQuchNXVTdGYF4HBoysFMQITgH62VDQDlO pvDqivwAJX90B/JyVO/6atFd/TfchEXktUieRW4/sGBFs05T12arTUIN+VvLDbVB 8Qhdpjw5PLL8F4Fd0CvMzBb8RZtQQidXjxnzJqPoK5J0w2Cse0NKfUo00K09+h9t bz05+V3ULbUiqq3peJ5aQpmxN6/MeMFfWq9u9U6r+L+WivspMgxclP7lkW9I0mq3 ETuDK8l5OGEk2pqiyWVqcFulABEBAAGJATYEGAEIACACGwwWIQR89lZlISP4NqUy OrE44vXzn/kL2gUCVpT2CwAKCRA44vXzn/kL2itAB/94T4jsKUXGoQWQo/O21L3m MErnaAYv+HEhNPUFIgkz9qO/FsUUt+OK4Fl5cRP5FHfpGy7aiHMtrYedyZ7T+ItJ 0M+cDgOfrTRcyXpN9tRidB4AYAGECag0/rTej8T6jk6aRVuEOt0Pbt9klNRm9/4V dejcKjCuoU78gtjfe5WIVvupaLepqTMfoUOWuVo7vB2vWGCv5/JLyrXekwaoE56A byVDhi3DsGsUHMigvjeIZz0xENQGBaeFaEcFBF28aqTb9haWIrE9wFohFP8+5oGF 5qUed2i3C6UYfjAJyVoQ+BmfKnT35FHEUkjoM8soEP+zxRrccokqI0zULeL5H/8k =y+i9 -----END PGP PUBLIC KEY BLOCK-----
To verify the authenticity of the CloudBees CI WAR files, complete the following steps:
-
Add the CloudBees public key to your GPG key store by using one of the following procedures:
-
Copy and paste the CloudBees public GPG key into a text file and import it.
-
Use the following command to create the text file, populate it with the CloudBees public GPG key, and import it:
echo -e "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQENBFaU9goBCAC/V/svxekI7Y/5am9Q6BpVcrG0IWxyhux3BejYHgCWKh4tt08M\n7VvXncejezeOVZPJSHCVgRKwJOst2hKw+lJwhiaX847LRAeZwG6YbQ5Gd5OBEefN\n3FMw4Ym6bzRrkQ213lJmmUOvFMDxs3nu1tScbJ6yyPe6FQyVlw30Di/rTTp5EzK6\n5vmCG80lbWbUdyBTvoKkXAgHIjUYU4dV2pHvQL6a+CUbQsaC/UsTcGaPKNTQ3NsJ\nXPJoK0GmENvpP1VYWIo6SzAMay9ZP9qM7ksr6RgqA+LvznF0J8gqOPpipoqwIB1a\n5xVxZfsBGHYq45F5dLboF69SeJ+ra8mQVHyZABEBAAG0M0Nsb3VkQmVlcywgSW5j\nLiAoQ29kZSBzaWduaW5nKSA8aW5mb0BjbG91ZGJlZXMuY29tPokBTwQTAQgAOQIb\nAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQR89lZlISP4NqUyOrE44vXzn/kL\n2gUCVpT2CwAKCRA44vXzn/kL2q4kB/9p8t3U4JgrAWBzxHalckxm8IbTH9rKynhP\ndLaPmtdpx69GUj5/gIVVL/SgTEQNpkJ5gY79BSI3Vwr1ylyt1B6lgKy6uKaIeY8I\n5qJqe25fyDcP/MDbEC0UvvGziAYDVdwTxp3y/kIW6lk8F3Wgl0p9bYY56vmzSjZV\npRyimGO7Ud5J/tgp60g/OriuoMT9+8p+eRCkxMdmxaZ2SM7g/ML4U0d/K1of71le\nCFIZvEqtGLkguSfHztMBGeV42PpxZR5Z1lM/wWP1G4GqjZtkrrEpyW6dtrtJjtf4\nDIVchJsBIDnl67CUjJjSZ/+2JInYmevxd2fuThbgqmlKfayup1mSuQENBFaU9goB\nCACsZItiervkSNxh59C+K9o1rTQWEW4E3wqS7BFh5sOElcDqc53nfSHG9VqRh53P\nkxZpGzS2SoROG2rEQdzwO3/ddlM2ARZQuchNXVTdGYF4HBoysFMQITgH62VDQDlO\npvDqivwAJX90B/JyVO/6atFd/TfchEXktUieRW4/sGBFs05T12arTUIN+VvLDbVB\n8Qhdpjw5PLL8F4Fd0CvMzBb8RZtQQidXjxnzJqPoK5J0w2Cse0NKfUo00K09+h9t\nbz05+V3ULbUiqq3peJ5aQpmxN6/MeMFfWq9u9U6r+L+WivspMgxclP7lkW9I0mq3\nETuDK8l5OGEk2pqiyWVqcFulABEBAAGJATYEGAEIACACGwwWIQR89lZlISP4NqUy\nOrE44vXzn/kL2gUCVpT2CwAKCRA44vXzn/kL2itAB/94T4jsKUXGoQWQo/O21L3m\nMErnaAYv+HEhNPUFIgkz9qO/FsUUt+OK4Fl5cRP5FHfpGy7aiHMtrYedyZ7T+ItJ\n0M+cDgOfrTRcyXpN9tRidB4AYAGECag0/rTej8T6jk6aRVuEOt0Pbt9klNRm9/4V\ndejcKjCuoU78gtjfe5WIVvupaLepqTMfoUOWuVo7vB2vWGCv5/JLyrXekwaoE56A\nbyVDhi3DsGsUHMigvjeIZz0xENQGBaeFaEcFBF28aqTb9haWIrE9wFohFP8+5oGF\n5qUed2i3C6UYfjAJyVoQ+BmfKnT35FHEUkjoM8soEP+zxRrccokqI0zULeL5H/8k\n=y+i9\n-----END PGP PUBLIC KEY BLOCK-----" > cloudbees.key gpg --import cloudbees.key
-
-
Download the WAR files and the WAR signature (
.asc
) files. -
Verify the WAR files with one of the following commands:
-
Controller:
gpg --verify cloudbees-core-cm.war.asc cloudbees-core-cm.war
-
Operations center:
gpg --verify cloudbees-core-oc.war.asc cloudbees-core-oc.war
The output is similar to the following:
gpg: Signature made Wed Nov 29 12:08:28 2023 EST gpg: using RSA key 7CF656652123F836A5323AB138E2F5F39FF90BDA gpg: Good signature from "CloudBees, Inc. (Code signing) <info@cloudbees.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 7CF6 5665 2123 F836 A532 3AB1 38E2 F5F3 9FF9 0BDA
GPG responds with a message that indicates whether the WAR file is validated as authentic. If the message states that it is a good signature, the WAR file is authentic. If the WAR file is not validated as authentic, you should contact CloudBees Support.
-
For versions 2.426.1.x
and earlier
The CloudBees public GPG key is as follows:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 mQENBFaU9goBCAC/V/svxekI7Y/5am9Q6BpVcrG0IWxyhux3BejYHgCWKh4tt08M 7VvXncejezeOVZPJSHCVgRKwJOst2hKw+lJwhiaX847LRAeZwG6YbQ5Gd5OBEefN 3FMw4Ym6bzRrkQ213lJmmUOvFMDxs3nu1tScbJ6yyPe6FQyVlw30Di/rTTp5EzK6 5vmCG80lbWbUdyBTvoKkXAgHIjUYU4dV2pHvQL6a+CUbQsaC/UsTcGaPKNTQ3NsJ XPJoK0GmENvpP1VYWIo6SzAMay9ZP9qM7ksr6RgqA+LvznF0J8gqOPpipoqwIB1a 5xVxZfsBGHYq45F5dLboF69SeJ+ra8mQVHyZABEBAAG0M0Nsb3VkQmVlcywgSW5j LiAoQ29kZSBzaWduaW5nKSA8aW5mb0BjbG91ZGJlZXMuY29tPokBOAQTAQIAIgUC VpT2CgIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQOOL185/5C9pz4QgA tOk6+3PbAta8Pla9LCex1fDzJ2jBM7N5lblcvsa8yg2Tepkt0xzUSd29gaxTmsod ZTVj0vWktDlS2lBvlbCqcYtI7r030EHdO2V7cFGTTsjqlGmzBT/My1wdXOVBDBU2 mxG/pzWqQ1lcre+ojFN4bzQNGD+f2MHvoWxLO2YQGhavG13c3r4Basb11AEmaFjt 0y9so/1OepoUuqhUph4c/xwck82aY8gcfFePre+a3+SzkXuAS+aKPTgk0WxIoN1k JC9Z05wdwpecMbuhaKZjqF+3dDhebpBDpr8pLngA96647p9TDC5pQLxc3WHOzZ8S IEoqhy52gNo1ndQoMkBgs7kBDQRWlPYKAQgArGSLYnq75EjcYefQvivaNa00FhFu BN8KkuwRYebDhJXA6nOd530hxvVakYedz5MWaRs0tkqEThtqxEHc8Dt/3XZTNgEW ULnITV1U3RmBeBwaMrBTECE4B+tlQ0A5Tqbw6or8ACV/dAfyclTv+mrRXf033IRF 5LVInkVuP7BgRbNOU9dmq01CDflbyw21QfEIXaY8OTyy/BeBXdArzMwW/EWbUEIn V48Z8yaj6CuSdMNgrHtDSn1KNNCtPfofbW89Ofld1C21Iqqt6XieWkKZsTevzHjB X1qvbvVOq/i/lor7KTIMXJT+5ZFvSNJqtxE7gyvJeThhJNqaosllanBbpQARAQAB iQEfBBgBAgAJBQJWlPYKAhsMAAoJEDji9fOf+Qva7VgH/0s6RiaSepqJMMDE8WVM wMPjBCHxL83MVcuewirpw0i4JhB4entJYcEJB7a6WGPiW25OIjZj+OzZd2UU6Ojd VxbdYuSpCl2FDLPAzF79yS7cD/Fl0wuLbvN44t75jVqGoi3SXg+oPnqS8FONL7AE ntyxuMdeQhBC7Wj5FjOIfuw8ZwFheEhzEPtAbE9McRoDcuxB2EfdIAA5QdBRCAo/ /8yHI8EuFdwFXmjYKwg2VBlFJYttfNaAev5ZRBOekq4MqOEb3yGFZRSSvQQjZxZb GPCs/UlayiFIFeflgsIM7f52bo3KLFnul71X5yr/o3hWg7Q7loOzShdkhJM1ICkD X8s= =kNBt -----END PGP PUBLIC KEY BLOCK-----
To verify the authenticity of the CloudBees CI WAR files, complete the following steps:
-
Add the CloudBees public key to your GPG key store by using one of the following procedures:
-
Copy and paste the CloudBees public GPG key into a text file and import it.
-
Use the following command to create the text file, populate it with the CloudBees public GPG key, and import it:
echo -e "-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG v1\n\nmQENBFaU9goBCAC/V/svxekI7Y/5am9Q6BpVcrG0IWxyhux3BejYHgCWKh4tt08M\n7VvXncejezeOVZPJSHCVgRKwJOst2hKw+lJwhiaX847LRAeZwG6YbQ5Gd5OBEefN\n3FMw4Ym6bzRrkQ213lJmmUOvFMDxs3nu1tScbJ6yyPe6FQyVlw30Di/rTTp5EzK6\n5vmCG80lbWbUdyBTvoKkXAgHIjUYU4dV2pHvQL6a+CUbQsaC/UsTcGaPKNTQ3NsJ\nXPJoK0GmENvpP1VYWIo6SzAMay9ZP9qM7ksr6RgqA+LvznF0J8gqOPpipoqwIB1a\n5xVxZfsBGHYq45F5dLboF69SeJ+ra8mQVHyZABEBAAG0M0Nsb3VkQmVlcywgSW5j\nLiAoQ29kZSBzaWduaW5nKSA8aW5mb0BjbG91ZGJlZXMuY29tPokBOAQTAQIAIgUC\nVpT2CgIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQOOL185/5C9pz4QgA\ntOk6+3PbAta8Pla9LCex1fDzJ2jBM7N5lblcvsa8yg2Tepkt0xzUSd29gaxTmsod\nZTVj0vWktDlS2lBvlbCqcYtI7r030EHdO2V7cFGTTsjqlGmzBT/My1wdXOVBDBU2\nmxG/pzWqQ1lcre+ojFN4bzQNGD+f2MHvoWxLO2YQGhavG13c3r4Basb11AEmaFjt\n0y9so/1OepoUuqhUph4c/xwck82aY8gcfFePre+a3+SzkXuAS+aKPTgk0WxIoN1k\nJC9Z05wdwpecMbuhaKZjqF+3dDhebpBDpr8pLngA96647p9TDC5pQLxc3WHOzZ8S\nIEoqhy52gNo1ndQoMkBgs7kBDQRWlPYKAQgArGSLYnq75EjcYefQvivaNa00FhFu\nBN8KkuwRYebDhJXA6nOd530hxvVakYedz5MWaRs0tkqEThtqxEHc8Dt/3XZTNgEW\nULnITV1U3RmBeBwaMrBTECE4B+tlQ0A5Tqbw6or8ACV/dAfyclTv+mrRXf033IRF\n5LVInkVuP7BgRbNOU9dmq01CDflbyw21QfEIXaY8OTyy/BeBXdArzMwW/EWbUEIn\nV48Z8yaj6CuSdMNgrHtDSn1KNNCtPfofbW89Ofld1C21Iqqt6XieWkKZsTevzHjB\nX1qvbvVOq/i/lor7KTIMXJT+5ZFvSNJqtxE7gyvJeThhJNqaosllanBbpQARAQAB\niQEfBBgBAgAJBQJWlPYKAhsMAAoJEDji9fOf+Qva7VgH/0s6RiaSepqJMMDE8WVM\nwMPjBCHxL83MVcuewirpw0i4JhB4entJYcEJB7a6WGPiW25OIjZj+OzZd2UU6Ojd\nVxbdYuSpCl2FDLPAzF79yS7cD/Fl0wuLbvN44t75jVqGoi3SXg+oPnqS8FONL7AE\nntyxuMdeQhBC7Wj5FjOIfuw8ZwFheEhzEPtAbE9McRoDcuxB2EfdIAA5QdBRCAo/\n/8yHI8EuFdwFXmjYKwg2VBlFJYttfNaAev5ZRBOekq4MqOEb3yGFZRSSvQQjZxZb\nGPCs/UlayiFIFeflgsIM7f52bo3KLFnul71X5yr/o3hWg7Q7loOzShdkhJM1ICkD\nX8s=\n=kNBt\n-----END PGP PUBLIC KEY BLOCK-----" > cloudbees.key gpg --import cloudbees.key
-
Use the following command to retrieve the CloudBees public GPG key from a key server:
gpg --verbose --keyserver keyserver.ubuntu.com --recv-keys 0x38E2F5F39FF90BDA
-
-
Download the WAR files and the WAR signature (
.asc
) files. -
Verify the WAR files with one of the following commands:
-
Controller:
gpg --verify cloudbees-core-cm.war.asc cloudbees-core-cm.war
-
Operations center:
gpg --verify cloudbees-core-oc.war.asc cloudbees-core-oc.war
The output is similar to the following:
gpg: Signature made Sat 01 Aug 2022 01:53:27 PM CEST gpg: using RSA key 0x38E2F5F39FF90BDA gpg: Good signature from "CloudBees, Inc. (Code signing)<info@cloudbees.com> gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 7CF6 5665 2123 F836 A532 3AB1 38E2 F5F3 9FF9 0BDA
GPG responds with a message that indicates whether the WAR file is validated as authentic. If the message states that it is a good signature, the WAR file is authentic. If the WAR file is not validated as authentic, you should contact CloudBees Support.
-