Jenkins 2.562 and 2.555.2: Signed by LF Open Source, LLC
Beginning April 28, 2026 with Jenkins weekly 2.562, the MSI installer is signed using the Microsoft Artifact Signing Service. The installer is signed by LF Open Source, LLC, courtesy of the Linux Foundation. The same change will be made in Jenkins LTS 2.555.2 beginning May 13, 2026.
In the transition period, there are some changes to the installation process. We hope that these changes are temporary while the installer’s reputation develops in Microsoft Defender Smartscreen.
Windows Edge - infrequently downloaded
Windows Edge, the default browser on Microsoft Windows, is integrated with Windows Defender Smartscreen. That integration causes new installers and new applications to be flagged as "infrequently downloaded".
Windows administrators that download the Jenkins installer with Microsoft Edge will need to click the "Keep anyway" button until Windows Defender Smartscreen decides the Jenkins MSI installer has enough reputation.
The Windows Edge dialog looks like this:
Windows Defender Smartscreen
When the MSI installer is run, Windows displays the SmartScreen prompt that says:
Microsoft Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.
The dialog looks like this:
Click the "More info" link and that will change the dialog to display the publisher of the signed MSI file. The publisher is "LF Open Source, LLC".
The dialog looks like this:
Press the "Run anyway" button and the MSI installer will run.
Frequently Asked Questions
Why change the MSI signing?
The previous code signing certificate expires May 16, 2026. An unsigned MSI installer has an even worse experience for users than the experience with Windows Defender Smartscreen.
Why use LF Open Source, LLC?
The Linux Foundation has already pioneered the MSI installer signing process through their work with the NodeJS Foundation. We were able to use their experiences to quickly revise our MSI installer signing to use the same techniques used by the NodeJS Foundation.
We interact frequently with the Linux Foundation because they host the Jira issue tracker for the Jenkins project. Those interactions continue to help the Jenkins project.
The Linux Foundation is the parent organization of the Continuous Delivery Foundation. The Continuous Delivery Foundation is the parent organization of the Jenkins project and holds its intellectual property.
Why not purchase an extended validation code signing certificate?
Extended validation certificates require a secure physical storage device or they require reliance on the code signing service of the certificate prvider. We rarely interact with the certificate providers and find it difficult when we interact with them. They are accustomed to working with corporations, not open source projects. Open source projects are not their primary income source and are not their target market.
About the author
Mark is a Jenkins user and contributor, a core maintainer, and maintainer of the git plugin, the git client plugin, and several others. He is one of the authors of the "Improve a plugin" tutorial.
