forked from elastic/observability-docs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add docs about package verification (elastic#2224)
* Add docs about package verification * Fix doc build error * Add info based on initial round of questions * Resolve review comments and add a pointer to Fleet Settings doc
- Loading branch information
1 parent
edfb818
commit 35dacb5
Showing
2 changed files
with
73 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,68 @@ | ||
[role="exclude",id="package-signatures"] | ||
[[package-signatures]] | ||
= Package signatures | ||
|
||
coming[8.4.0] | ||
All integration packages published by Elastic have package signatures that | ||
prevent malicious attackers from tampering with package content. When you | ||
install an Elastic integration, {kib} downloads the package and verifies the | ||
package signature against a public key. If the package is unverified, you can | ||
choose to force install it. However, it's strongly recommended that you avoid | ||
installing unverified packages. | ||
|
||
IMPORTANT: By installing an unverified package, you acknowledge that you | ||
assume any risk involved. | ||
|
||
To force installation of an unverified package: | ||
|
||
* When using the {integrations} UI, you'll be prompted to confirm that you want | ||
to install the unverified integration. Click **Install anyway** to force | ||
installation. | ||
|
||
* When using the {fleet} API, if you attempt to install an unverified package, | ||
you'll see a 400 response code with a verification failed message. To force | ||
installation, set the URL parameter `ignoreUnverified=true`. For more | ||
information, refer to <<fleet-api-docs>>. | ||
|
||
After installation, unverified {integrations} are flagged on the | ||
**Installed integrations** tab of the {integrations} UI. | ||
|
||
[discrete] | ||
[[why-verify-packages]] | ||
== Why is package verification necessary? | ||
|
||
Integration packages contain instructions, such as ILM policies, transforms, and | ||
mappings, that can significantly modify the structure of your {es} indices. | ||
Relying solely on HTTPS DNS name validation to prove provenance of the package | ||
is not a safe practice. A determined attacker could forge a certificate and | ||
serve up packages intended to disrupt the target. | ||
|
||
Installing verified packages ensures that your integration software has not been | ||
corrupted or otherwise tampered with. | ||
|
||
[discrete] | ||
[[what-does-unverified-mean]] | ||
== What does it mean for a package to be unverified? | ||
|
||
Here are some situations where an integration package will fail verification | ||
during installation: | ||
|
||
* The package zip file on the Elastic server has been tampered with. | ||
* The user has been maliciously redirected to a fake Elastic package registry. | ||
* The public Elastic key has been compromised, and Elastic has signed packages | ||
with an updated key. | ||
|
||
Here are some reasons why an integration might be flagged as unverified after | ||
installation: | ||
|
||
* The integration package failed verification, but was force installed. | ||
* The integration package was installed before {fleet} added support for package | ||
signature verification. | ||
|
||
[discrete] | ||
[[what-if-key-changes]] | ||
== What if the Elastic key changes in the future? | ||
|
||
In the unlikely event that the Elastic signing key changes in the future, any | ||
verified integration packages will continue to show as verified until new | ||
packages are installed or existing ones are upgraded. If this happens, you can | ||
set the `xpack.fleet.packageVerification.gpgKeyPath` setting in the `kibana.yml` | ||
configuration file to use the new key. |