Use the properly signed version, and make sure this will never happen

again.

changelog.html

@@ -63,6 +63,9 @@ Upcoming changes</a>
 <div id="rc" style="display:none;"><!--=BEGIN=-->
 <h3><a name=v1.424>What's new in 1.424</a> <!--=DATE=--></h3>
 <ul class=image>
+  <li class='major bug'>
+    Java Web Start binaries weren't signed.
+    (<a href="http://jenkins.361315.n4.nabble.com/Launching-slave-agent-not-working-since-upgrading-from-1-421-to-1-423-td3696291.html">report</a>)
   <li class=bug>
     Fixed Maven build error if headless option is set and MAVEN_OPTS empty
     (<a href="https://issues.jenkins-ci.org/browse/JENKINS-10375">issue 10375</a>)

core/src/test/java/jenkins/RemotingJarSignatureTest.java

+package jenkins;
+
+import hudson.remoting.Channel;
+import hudson.remoting.Which;
+import hudson.util.IOUtils;
+import org.apache.commons.io.output.NullOutputStream;
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.io.File;
+import java.util.Enumeration;
+import java.util.jar.JarEntry;
+import java.util.jar.JarFile;
+
+/**
+ * @author Kohsuke Kawaguchi
+ */
+public class RemotingJarSignatureTest {
+    /**
+     * Makes sure that the remoting jar is properly signed.
+     */
+    @Test
+    public void testSignature() throws Exception {
+        File jar = Which.jarFile(Channel.class);
+//        File jar = new File("/home/kohsuke/.m2/repository/org/jenkins-ci/main/remoting/1.421/remoting-1.421.jar");
+//        File jar = new File("/home/kohsuke/.m2/repository/org/jenkins-ci/main/remoting/2.0/remoting-2.0.jar");
+        System.out.println("Verifying "+jar);
+
+        JarFile myJar = new JarFile(jar,true);
+
+        Enumeration<JarEntry> entries = myJar.entries();
+        while (entries.hasMoreElements()) {
+            JarEntry entry = entries.nextElement();
+            if (entry.isDirectory())    continue;
+
+            // unsigned files that are related to signatures
+            String name = entry.getName();
+            if (name.equals("META-INF/MANIFEST.MF")) continue;
+            if (name.startsWith("META-INF/") && name.endsWith(".SF")) continue;
+            if (name.startsWith("META-INF/") && name.endsWith(".RSA")) continue;
+
+            // make sure bits are signed
+            IOUtils.copy(myJar.getInputStream(entry), new NullOutputStream());
+            if (entry.getCodeSigners()==null) {
+                Assert.fail("No signature for " + name);
+            }
+        }
+    }
+}

pom.xml

@@ -133,7 +133,7 @@ THE SOFTWARE.
       <dependency>
         <groupId>org.jenkins-ci.main</groupId>
         <artifactId>remoting</artifactId>
-        <version>2.2</version>
+        <version>2.4</version>
       </dependency>
     </dependencies>
   </dependencyManagement>