Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Fleet] Prefer sha256 for reading GPG package verification key #167149

Merged
merged 8 commits into from
Oct 2, 2023

Conversation

kpollich
Copy link
Member

@kpollich kpollich commented Sep 25, 2023

Summary

Ref elastic/elasticsearch#85876
Fixes #167153

The public Elastic GPG key has been updated to use sha256 instead of sha1 for its hashing algorithm. This PR updates Fleet's reading of that key for package verification to support that hashing algorithm change.

@kpollich kpollich added the Team:Fleet Team label for Observability Data Collection Fleet team label Sep 25, 2023
@kpollich kpollich self-assigned this Sep 25, 2023
@kpollich kpollich requested a review from a team as a code owner September 25, 2023 12:44
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

@kpollich kpollich added the release_note:skip Skip the PR/issue when compiling release notes label Sep 25, 2023
@apmmachine
Copy link
Contributor

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • /oblt-deploy : Deploy a Kibana instance using the Observability test environments.
  • /oblt-deploy-serverless : Deploy a serverless Kibana instance using the Observability test environments.
  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@juliaElastic juliaElastic added the backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) label Sep 25, 2023
@jlind23
Copy link
Contributor

jlind23 commented Sep 27, 2023

@kpollich Will this issue fix - #167153 ?

@kpollich
Copy link
Member Author

@elasticmachine merge upstream

@kpollich kpollich requested a review from a team as a code owner September 29, 2023 18:16
@kpollich
Copy link
Member Author

kpollich commented Oct 2, 2023

I've stepped through the verification process with the sha256 key downloaded locally and I see everything working as expected, so I'm going to continue trying to figure out what's going wrong in CI here.

@kpollich
Copy link
Member Author

kpollich commented Oct 2, 2023

@elasticmachine merge upstream

@kpollich
Copy link
Member Author

kpollich commented Oct 2, 2023

I found this comment deep in the openpgp.js source:

https://github.com/openpgpjs/openpgpjs/blob/d6145ac73eebcf66bdeb0873aa60fc49361e1aeb/src/message.js#L800-L809

Seems like providing this flag when we verify package signatures should fix the issue. I've got Cypress tests passing locally with this change.

@kpollich
Copy link
Member Author

kpollich commented Oct 2, 2023

@elastic/kibana-operations - I've fixed Fleet's issues with the new sha256 GPG key here. Just need a codeowner review to sign off on this whenever you're able 🙏

@kpollich
Copy link
Member Author

kpollich commented Oct 2, 2023

@elasticmachine merge upstream

@@ -128,6 +130,13 @@ async function _verifyPackageSignature({
verificationKeys: verificationKey,
signature,
message,
config: {
// See https://github.com/openpgpjs/openpgpjs/blob/d6145ac73eebcf66bdeb0873aa60fc49361e1aeb/src/message.js#L800-L809
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@elastic/kibana-security can you take a look?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the tag @jbudz! Using this config option is alright with us given the context. LGTM!

@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] Defend Workflows Cypress Tests #4 / Artifact pages Trusted applications should update Endpoint Policy on Endpoint when adding Trusted application name should update Endpoint Policy on Endpoint when adding Trusted application name

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @kpollich

@kpollich kpollich merged commit b2a7b55 into elastic:main Oct 2, 2023
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Oct 2, 2023
…ic#167149)

## Summary

Ref elastic/elasticsearch#85876
Fixes elastic#167153

The public Elastic GPG key has been updated to use sha256 instead of
sha1 for its hashing algorithm. This PR updates Fleet's reading of that
key for package verification to support that hashing algorithm change.

---------

Co-authored-by: Kibana Machine <[email protected]>
(cherry picked from commit b2a7b55)
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.10

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Oct 3, 2023
…#167149) (#167823)

# Backport

This will backport the following commits from `main` to `8.10`:
- [[Fleet] Prefer sha256 for reading GPG package verification key
(#167149)](#167149)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kyle
Pollich","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-10-02T18:48:12Z","message":"[Fleet]
Prefer sha256 for reading GPG package verification key (#167149)\n\n##
Summary\n\nRef
https://github.com/elastic/elasticsearch/issues/85876\nFixes
https://github.com/elastic/kibana/issues/167153\n\nThe public Elastic
GPG key has been updated to use sha256 instead of\nsha1 for its hashing
algorithm. This PR updates Fleet's reading of that\nkey for package
verification to support that hashing algorithm
change.\n\n---------\n\nCo-authored-by: Kibana Machine
<[email protected]>","sha":"b2a7b55f0e753656225a1c7215a08676a9c04819","branchLabelMapping":{"^v8.11.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","backport:prev-minor","v8.11.0"],"number":167149,"url":"https://github.com/elastic/kibana/pull/167149","mergeCommit":{"message":"[Fleet]
Prefer sha256 for reading GPG package verification key (#167149)\n\n##
Summary\n\nRef
https://github.com/elastic/elasticsearch/issues/85876\nFixes
https://github.com/elastic/kibana/issues/167153\n\nThe public Elastic
GPG key has been updated to use sha256 instead of\nsha1 for its hashing
algorithm. This PR updates Fleet's reading of that\nkey for package
verification to support that hashing algorithm
change.\n\n---------\n\nCo-authored-by: Kibana Machine
<[email protected]>","sha":"b2a7b55f0e753656225a1c7215a08676a9c04819"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.11.0","labelRegex":"^v8.11.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/167149","number":167149,"mergeCommit":{"message":"[Fleet]
Prefer sha256 for reading GPG package verification key (#167149)\n\n##
Summary\n\nRef
https://github.com/elastic/elasticsearch/issues/85876\nFixes
https://github.com/elastic/kibana/issues/167153\n\nThe public Elastic
GPG key has been updated to use sha256 instead of\nsha1 for its hashing
algorithm. This PR updates Fleet's reading of that\nkey for package
verification to support that hashing algorithm
change.\n\n---------\n\nCo-authored-by: Kibana Machine
<[email protected]>","sha":"b2a7b55f0e753656225a1c7215a08676a9c04819"}}]}]
BACKPORT-->

Co-authored-by: Kyle Pollich <[email protected]>
Co-authored-by: Julia Bardi <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) release_note:skip Skip the PR/issue when compiling release notes Team:Fleet Team label for Observability Data Collection Fleet team v8.10.3 v8.11.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Start using new GPG key
9 participants