From a6ad364853a17646bc32e25777cce22a28afa9e0 Mon Sep 17 00:00:00 2001 From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Date: Tue, 3 Oct 2023 05:34:21 -0400 Subject: [PATCH] [8.10] [Fleet] Prefer sha256 for reading GPG package verification key (#167149) (#167823) # Backport This will backport the following commits from `main` to `8.10`: - [[Fleet] Prefer sha256 for reading GPG package verification key (#167149)](https://github.com/elastic/kibana/pull/167149) ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) Co-authored-by: Kyle Pollich Co-authored-by: Julia Bardi <90178898+juliaElastic@users.noreply.github.com> --- src/dev/build/tasks/fleet/download_elastic_gpg_key.ts | 4 ++-- x-pack/plugins/fleet/server/config.ts | 2 +- .../services/epm/packages/package_verification.ts | 11 ++++++++++- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts b/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts index 6cd0b351c4d31..483a342ba300e 100644 --- a/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts +++ b/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts @@ -13,9 +13,9 @@ import { ToolingLog } from '@kbn/tooling-log'; import { downloadToDisk } from '../../lib'; const ARTIFACTS_URL = 'https://artifacts.elastic.co/'; -const GPG_KEY_NAME = 'GPG-KEY-elasticsearch.sha1'; +const GPG_KEY_NAME = 'GPG-KEY-elasticsearch'; const GPG_KEY_SHA512 = - '84ee193cc337344d9a7da9021daf3f5ede83f5f1ab049d169f3634921529dcd096abf7a91eec7f26f3a6913e5e38f88f69a5e2ce79ad155d46edc75705a648c6'; + '62a567354286deb02baf5fc6b82ddf6c7067898723463da9ae65b132b8c6d6f064b2874e390885682376228eed166c1c82fe7f11f6c9a69f0c157029c548fa3d'; export async function downloadElasticGpgKey(pkgDir: string, log: ToolingLog) { const gpgKeyUrl = ARTIFACTS_URL + GPG_KEY_NAME; diff --git a/x-pack/plugins/fleet/server/config.ts b/x-pack/plugins/fleet/server/config.ts index dea1852c5d8f4..60d62c099498e 100644 --- a/x-pack/plugins/fleet/server/config.ts +++ b/x-pack/plugins/fleet/server/config.ts @@ -27,7 +27,7 @@ import { import { BULK_CREATE_MAX_ARTIFACTS_BYTES } from './services/artifacts/artifacts'; const DEFAULT_BUNDLED_PACKAGE_LOCATION = path.join(__dirname, '../target/bundled_packages'); -const DEFAULT_GPG_KEY_PATH = path.join(__dirname, '../target/keys/GPG-KEY-elasticsearch.sha1'); +const DEFAULT_GPG_KEY_PATH = path.join(__dirname, '../target/keys/GPG-KEY-elasticsearch'); export const config: PluginConfigDescriptor = { exposeToBrowser: { diff --git a/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts b/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts index b4432e8919d0c..92068dfcd424d 100644 --- a/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts +++ b/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts @@ -57,7 +57,9 @@ export async function _readGpgKey(): Promise { } let key; try { - key = await openpgp.readKey({ armoredKey: buffer.toString() }); + key = await openpgp.readKey({ + armoredKey: buffer.toString(), + }); } catch (e) { logger.warn(`Unable to parse GPG key from '${gpgKeyPath}': ${e}`); } @@ -128,6 +130,13 @@ async function _verifyPackageSignature({ verificationKeys: verificationKey, signature, message, + config: { + // See https://github.com/openpgpjs/openpgpjs/blob/d6145ac73eebcf66bdeb0873aa60fc49361e1aeb/src/message.js#L800-L809 + // Essentially, since the sha1 key was reformmated to sha256 as part of https://github.com/elastic/elasticsearch/issues/85876, + // there's an error around the creation timestamp for the key/signature. Passing this config allows the verification to succeed + // despite the key being reformatted. + allowInsecureVerificationWithReformattedKeys: true, + }, }); const signatureVerificationResult = verificationResult.signatures[0];