Skip to content

Commit

Permalink
[8.10] [Fleet] Prefer sha256 for reading GPG package verification key (
Browse files Browse the repository at this point in the history
…#167149) (#167823)

# Backport

This will backport the following commits from `main` to `8.10`:
- [[Fleet] Prefer sha256 for reading GPG package verification key
(#167149)](#167149)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kyle
Pollich","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-10-02T18:48:12Z","message":"[Fleet]
Prefer sha256 for reading GPG package verification key (#167149)\n\n##
Summary\n\nRef
https://github.com/elastic/elasticsearch/issues/85876\nFixes
https://github.com/elastic/kibana/issues/167153\n\nThe public Elastic
GPG key has been updated to use sha256 instead of\nsha1 for its hashing
algorithm. This PR updates Fleet's reading of that\nkey for package
verification to support that hashing algorithm
change.\n\n---------\n\nCo-authored-by: Kibana Machine
<[email protected]>","sha":"b2a7b55f0e753656225a1c7215a08676a9c04819","branchLabelMapping":{"^v8.11.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","backport:prev-minor","v8.11.0"],"number":167149,"url":"https://github.com/elastic/kibana/pull/167149","mergeCommit":{"message":"[Fleet]
Prefer sha256 for reading GPG package verification key (#167149)\n\n##
Summary\n\nRef
https://github.com/elastic/elasticsearch/issues/85876\nFixes
https://github.com/elastic/kibana/issues/167153\n\nThe public Elastic
GPG key has been updated to use sha256 instead of\nsha1 for its hashing
algorithm. This PR updates Fleet's reading of that\nkey for package
verification to support that hashing algorithm
change.\n\n---------\n\nCo-authored-by: Kibana Machine
<[email protected]>","sha":"b2a7b55f0e753656225a1c7215a08676a9c04819"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.11.0","labelRegex":"^v8.11.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/167149","number":167149,"mergeCommit":{"message":"[Fleet]
Prefer sha256 for reading GPG package verification key (#167149)\n\n##
Summary\n\nRef
https://github.com/elastic/elasticsearch/issues/85876\nFixes
https://github.com/elastic/kibana/issues/167153\n\nThe public Elastic
GPG key has been updated to use sha256 instead of\nsha1 for its hashing
algorithm. This PR updates Fleet's reading of that\nkey for package
verification to support that hashing algorithm
change.\n\n---------\n\nCo-authored-by: Kibana Machine
<[email protected]>","sha":"b2a7b55f0e753656225a1c7215a08676a9c04819"}}]}]
BACKPORT-->

Co-authored-by: Kyle Pollich <[email protected]>
Co-authored-by: Julia Bardi <[email protected]>
  • Loading branch information
3 people authored Oct 3, 2023
1 parent cfbd78b commit a6ad364
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 4 deletions.
4 changes: 2 additions & 2 deletions src/dev/build/tasks/fleet/download_elastic_gpg_key.ts
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ import { ToolingLog } from '@kbn/tooling-log';
import { downloadToDisk } from '../../lib';

const ARTIFACTS_URL = 'https://artifacts.elastic.co/';
const GPG_KEY_NAME = 'GPG-KEY-elasticsearch.sha1';
const GPG_KEY_NAME = 'GPG-KEY-elasticsearch';
const GPG_KEY_SHA512 =
'84ee193cc337344d9a7da9021daf3f5ede83f5f1ab049d169f3634921529dcd096abf7a91eec7f26f3a6913e5e38f88f69a5e2ce79ad155d46edc75705a648c6';
'62a567354286deb02baf5fc6b82ddf6c7067898723463da9ae65b132b8c6d6f064b2874e390885682376228eed166c1c82fe7f11f6c9a69f0c157029c548fa3d';

export async function downloadElasticGpgKey(pkgDir: string, log: ToolingLog) {
const gpgKeyUrl = ARTIFACTS_URL + GPG_KEY_NAME;
Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugins/fleet/server/config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ import {
import { BULK_CREATE_MAX_ARTIFACTS_BYTES } from './services/artifacts/artifacts';

const DEFAULT_BUNDLED_PACKAGE_LOCATION = path.join(__dirname, '../target/bundled_packages');
const DEFAULT_GPG_KEY_PATH = path.join(__dirname, '../target/keys/GPG-KEY-elasticsearch.sha1');
const DEFAULT_GPG_KEY_PATH = path.join(__dirname, '../target/keys/GPG-KEY-elasticsearch');

export const config: PluginConfigDescriptor = {
exposeToBrowser: {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,9 @@ export async function _readGpgKey(): Promise<openpgp.Key | undefined> {
}
let key;
try {
key = await openpgp.readKey({ armoredKey: buffer.toString() });
key = await openpgp.readKey({
armoredKey: buffer.toString(),
});
} catch (e) {
logger.warn(`Unable to parse GPG key from '${gpgKeyPath}': ${e}`);
}
Expand Down Expand Up @@ -128,6 +130,13 @@ async function _verifyPackageSignature({
verificationKeys: verificationKey,
signature,
message,
config: {
// See https://github.com/openpgpjs/openpgpjs/blob/d6145ac73eebcf66bdeb0873aa60fc49361e1aeb/src/message.js#L800-L809
// Essentially, since the sha1 key was reformmated to sha256 as part of https://github.com/elastic/elasticsearch/issues/85876,
// there's an error around the creation timestamp for the key/signature. Passing this config allows the verification to succeed
// despite the key being reformatted.
allowInsecureVerificationWithReformattedKeys: true,
},
});

const signatureVerificationResult = verificationResult.signatures[0];
Expand Down

0 comments on commit a6ad364

Please sign in to comment.