Skip to end of metadata
Go to start of metadata

Each Jenkins instance maintains an RSA private/public key pair that can be used to uniquely identify Jenkins. This information is called "instance identity".

From outside, the public key can be obtained by sending the GET request to the top page of Jenkins, and look for the "X-Instance-Identity" header in the response. This header is always available, even if the response is 401 access denied (which can happen if Jenkins is protected via security.) The value represents a base64-encoded ASN.1 DER serialization of X.509 SubjectPublicKeyInfo record.

Plugins that run inside Jenkins can access this key pair programmatically through the org.jenkinsci.main.modules.instance_identity.InstanceIdentity class (add a provided scope dependency to this module into your plugin)

Possible Use

  • Sometimes, a Jenkins server is accessible through multiple URLs. This ID can be used to identify duplicates in those.
  • Plugins can use the private key to produce a digital signature of some data that can be verified later by other parties about its origin.
  • No labels

1 Comment

  1. If you also wonder how to get an ssh fingerprint from X-Instance-Identity value, the following commands should help you.

    • Inspect the X.509 SubjectPublicKeyInfo record (cf. RFC 5280)
    curl -sfI https://ci.jenkins-ci.org/ | grep X-Instance-Identity | cut -d\  -f2 | base64 -di | openssl asn1parse -inform DER
    
    • Assuming the algorithm identifier is "rsaEncryption", the following should show RSA modulus and exponent, which by convention is equal to 65537 (cf. RFC 3279)
    curl -sfI https://ci.jenkins-ci.org/ | grep X-Instance-Identity | cut -d\  -f2 | base64 -di | openssl asn1parse -inform DER -strparse 19
    
    curl -sfI https://ci.jenkins-ci.org/ | grep X-Instance-Identity | tr -d \\r | cut -d\  -f2 | base64 -d | dd bs=1 skip=32 count=257 status=none | xxd -p -c257 | sed s/^/00000007\ 7373682d727361\ 00000003\ 010001\ 00000101\ / | xxd -p -r | md5sum | cut -d\  -f1 | fold -w2 | paste -d: -s
    
    • Finally, the following command creates a jenkins.pub file with the server public key in the OpenSSH format, which is actually the SSH2 format (RFC 4716) with different delimeters.
    echo -n "ssh-rsa " > jenkins.pub && curl -sfI https://ci.jenkins-ci.org/ | grep X-Instance-Identity | tr -d \\r | cut -d\  -f2 | base64 -d | dd bs=1 skip=32 count=257 status=none | xxd -p -c257 | sed s/^/00000007\ 7373682d727361\ 00000003\ 010001\ 00000101\ / | xxd -p -r | base64 -w0 >> jenkins.pub && echo >> jenkins.pub
    
    • Now you can append jenkins.pub contents to ~/.ssh/known_hosts or calculate its fingerprint with ssh-keygen
    ssh-keygen -lf jenkins.pub
    

    I don't think I would be able to figure out all these commands without this Ian Boyd's answer at StackOverflow. Thank you, Ian!