Skip to content

Commit

Permalink
Add docs about package verification (elastic#2224)
Browse files Browse the repository at this point in the history
* Add docs about package verification

* Fix doc build error

* Add info based on initial round of questions

* Resolve review comments and add a pointer to Fleet Settings doc
  • Loading branch information
dedemorton authored Nov 7, 2022
1 parent edfb818 commit 35dacb5
Show file tree
Hide file tree
Showing 2 changed files with 73 additions and 2 deletions.
7 changes: 7 additions & 0 deletions fleet/air-gapped.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,13 @@ For more information, refer to <<fleet-agent-proxy-support>>.
[[air-gapped-diy-epr]]
== Host your own {package-registry}

NOTE: The {package-registry} packages include signatures used in
<<package-signatures,package verification>>. By default, {fleet} uses the Elastic
public GPG key to verify package signatures. If you ever need to change this GPG
key, use the `xpack.fleet.packageVerification.gpgKeyPath` setting in
`kibana.yml`. For more information, refer to
{kibana-ref}/fleet-settings-kb.html[{fleet} settings].

If routing traffic through a proxy server is not an option, you can host your
own {package-registry}.

Expand Down
68 changes: 66 additions & 2 deletions integrations/package-signatures.asciidoc
Original file line number Diff line number Diff line change
@@ -1,4 +1,68 @@
[role="exclude",id="package-signatures"]
[[package-signatures]]
= Package signatures

coming[8.4.0]
All integration packages published by Elastic have package signatures that
prevent malicious attackers from tampering with package content. When you
install an Elastic integration, {kib} downloads the package and verifies the
package signature against a public key. If the package is unverified, you can
choose to force install it. However, it's strongly recommended that you avoid
installing unverified packages.

IMPORTANT: By installing an unverified package, you acknowledge that you
assume any risk involved.

To force installation of an unverified package:

* When using the {integrations} UI, you'll be prompted to confirm that you want
to install the unverified integration. Click **Install anyway** to force
installation.

* When using the {fleet} API, if you attempt to install an unverified package,
you'll see a 400 response code with a verification failed message. To force
installation, set the URL parameter `ignoreUnverified=true`. For more
information, refer to <<fleet-api-docs>>.

After installation, unverified {integrations} are flagged on the
**Installed integrations** tab of the {integrations} UI.

[discrete]
[[why-verify-packages]]
== Why is package verification necessary?

Integration packages contain instructions, such as ILM policies, transforms, and
mappings, that can significantly modify the structure of your {es} indices.
Relying solely on HTTPS DNS name validation to prove provenance of the package
is not a safe practice. A determined attacker could forge a certificate and
serve up packages intended to disrupt the target.

Installing verified packages ensures that your integration software has not been
corrupted or otherwise tampered with.

[discrete]
[[what-does-unverified-mean]]
== What does it mean for a package to be unverified?

Here are some situations where an integration package will fail verification
during installation:

* The package zip file on the Elastic server has been tampered with.
* The user has been maliciously redirected to a fake Elastic package registry.
* The public Elastic key has been compromised, and Elastic has signed packages
with an updated key.

Here are some reasons why an integration might be flagged as unverified after
installation:

* The integration package failed verification, but was force installed.
* The integration package was installed before {fleet} added support for package
signature verification.

[discrete]
[[what-if-key-changes]]
== What if the Elastic key changes in the future?

In the unlikely event that the Elastic signing key changes in the future, any
verified integration packages will continue to show as verified until new
packages are installed or existing ones are upgraded. If this happens, you can
set the `xpack.fleet.packageVerification.gpgKeyPath` setting in the `kibana.yml`
configuration file to use the new key.

0 comments on commit 35dacb5

Please sign in to comment.