-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fleet] Prefer sha256 for reading GPG package verification key #167149
Conversation
Pinging @elastic/fleet (Team:Fleet) |
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
@elasticmachine merge upstream |
I've stepped through the verification process with the sha256 key downloaded locally and I see everything working as expected, so I'm going to continue trying to figure out what's going wrong in CI here. |
@elasticmachine merge upstream |
I found this comment deep in the openpgp.js source: Seems like providing this flag when we verify package signatures should fix the issue. I've got Cypress tests passing locally with this change. |
@elastic/kibana-operations - I've fixed Fleet's issues with the new sha256 GPG key here. Just need a codeowner review to sign off on this whenever you're able 🙏 |
@elasticmachine merge upstream |
@@ -128,6 +130,13 @@ async function _verifyPackageSignature({ | |||
verificationKeys: verificationKey, | |||
signature, | |||
message, | |||
config: { | |||
// See https://github.com/openpgpjs/openpgpjs/blob/d6145ac73eebcf66bdeb0873aa60fc49361e1aeb/src/message.js#L800-L809 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@elastic/kibana-security can you take a look?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the tag @jbudz! Using this config option is alright with us given the context. LGTM!
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
To update your PR or re-run it, just comment with: cc @kpollich |
…ic#167149) ## Summary Ref elastic/elasticsearch#85876 Fixes elastic#167153 The public Elastic GPG key has been updated to use sha256 instead of sha1 for its hashing algorithm. This PR updates Fleet's reading of that key for package verification to support that hashing algorithm change. --------- Co-authored-by: Kibana Machine <[email protected]> (cherry picked from commit b2a7b55)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…#167149) (#167823) # Backport This will backport the following commits from `main` to `8.10`: - [[Fleet] Prefer sha256 for reading GPG package verification key (#167149)](#167149) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Kyle Pollich","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-10-02T18:48:12Z","message":"[Fleet] Prefer sha256 for reading GPG package verification key (#167149)\n\n## Summary\n\nRef https://github.com/elastic/elasticsearch/issues/85876\nFixes https://github.com/elastic/kibana/issues/167153\n\nThe public Elastic GPG key has been updated to use sha256 instead of\nsha1 for its hashing algorithm. This PR updates Fleet's reading of that\nkey for package verification to support that hashing algorithm change.\n\n---------\n\nCo-authored-by: Kibana Machine <[email protected]>","sha":"b2a7b55f0e753656225a1c7215a08676a9c04819","branchLabelMapping":{"^v8.11.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","backport:prev-minor","v8.11.0"],"number":167149,"url":"https://github.com/elastic/kibana/pull/167149","mergeCommit":{"message":"[Fleet] Prefer sha256 for reading GPG package verification key (#167149)\n\n## Summary\n\nRef https://github.com/elastic/elasticsearch/issues/85876\nFixes https://github.com/elastic/kibana/issues/167153\n\nThe public Elastic GPG key has been updated to use sha256 instead of\nsha1 for its hashing algorithm. This PR updates Fleet's reading of that\nkey for package verification to support that hashing algorithm change.\n\n---------\n\nCo-authored-by: Kibana Machine <[email protected]>","sha":"b2a7b55f0e753656225a1c7215a08676a9c04819"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.11.0","labelRegex":"^v8.11.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/167149","number":167149,"mergeCommit":{"message":"[Fleet] Prefer sha256 for reading GPG package verification key (#167149)\n\n## Summary\n\nRef https://github.com/elastic/elasticsearch/issues/85876\nFixes https://github.com/elastic/kibana/issues/167153\n\nThe public Elastic GPG key has been updated to use sha256 instead of\nsha1 for its hashing algorithm. This PR updates Fleet's reading of that\nkey for package verification to support that hashing algorithm change.\n\n---------\n\nCo-authored-by: Kibana Machine <[email protected]>","sha":"b2a7b55f0e753656225a1c7215a08676a9c04819"}}]}] BACKPORT--> Co-authored-by: Kyle Pollich <[email protected]> Co-authored-by: Julia Bardi <[email protected]>
Summary
Ref elastic/elasticsearch#85876
Fixes #167153
The public Elastic GPG key has been updated to use sha256 instead of sha1 for its hashing algorithm. This PR updates Fleet's reading of that key for package verification to support that hashing algorithm change.