From 5219a8332d09223e0854d60af1a7a37856ea92c0 Mon Sep 17 00:00:00 2001 From: Kyle Pollich Date: Mon, 25 Sep 2023 08:41:52 -0400 Subject: [PATCH 1/5] Prefer sha256 for reading GPG package verification key --- .../server/services/epm/packages/package_verification.ts | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts b/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts index b4432e8919d0..7179b04138b1 100644 --- a/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts +++ b/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts @@ -57,7 +57,12 @@ export async function _readGpgKey(): Promise { } let key; try { - key = await openpgp.readKey({ armoredKey: buffer.toString() }); + key = await openpgp.readKey({ + armoredKey: buffer.toString(), + config: { + preferredHashAlgorithm: openpgp.enums.hash.sha256, + }, + }); } catch (e) { logger.warn(`Unable to parse GPG key from '${gpgKeyPath}': ${e}`); } From 23f96baefa6bb6206174335c74f2f2165c8add6b Mon Sep 17 00:00:00 2001 From: Kyle Pollich Date: Mon, 25 Sep 2023 12:21:11 -0400 Subject: [PATCH 2/5] Set hashing algorithm in package verification calls --- .../server/services/epm/packages/package_verification.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts b/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts index 7179b04138b1..3044755c94d5 100644 --- a/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts +++ b/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts @@ -123,6 +123,9 @@ async function _verifyPackageSignature({ }): Promise { const signature = await openpgp.readSignature({ armoredSignature: pkgArchiveSignature, + config: { + preferredHashAlgorithm: openpgp.enums.hash.sha256, + }, }); const message = await openpgp.createMessage({ @@ -133,6 +136,9 @@ async function _verifyPackageSignature({ verificationKeys: verificationKey, signature, message, + config: { + preferredHashAlgorithm: openpgp.enums.hash.sha256, + }, }); const signatureVerificationResult = verificationResult.signatures[0]; From 2ef25ab071a52e736cddcd0bb3481e55aaab03a0 Mon Sep 17 00:00:00 2001 From: Kyle Pollich Date: Fri, 29 Sep 2023 14:16:22 -0400 Subject: [PATCH 3/5] Try with default key instead of .sha1 --- src/dev/build/tasks/fleet/download_elastic_gpg_key.ts | 2 +- x-pack/plugins/fleet/server/config.ts | 2 +- .../server/services/epm/packages/package_verification.ts | 9 --------- 3 files changed, 2 insertions(+), 11 deletions(-) diff --git a/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts b/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts index 6cd0b351c4d3..85e927001bd4 100644 --- a/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts +++ b/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts @@ -13,7 +13,7 @@ import { ToolingLog } from '@kbn/tooling-log'; import { downloadToDisk } from '../../lib'; const ARTIFACTS_URL = 'https://artifacts.elastic.co/'; -const GPG_KEY_NAME = 'GPG-KEY-elasticsearch.sha1'; +const GPG_KEY_NAME = 'GPG-KEY-elasticsearch'; const GPG_KEY_SHA512 = '84ee193cc337344d9a7da9021daf3f5ede83f5f1ab049d169f3634921529dcd096abf7a91eec7f26f3a6913e5e38f88f69a5e2ce79ad155d46edc75705a648c6'; diff --git a/x-pack/plugins/fleet/server/config.ts b/x-pack/plugins/fleet/server/config.ts index 3dbcf8a795bb..8426e46a0814 100644 --- a/x-pack/plugins/fleet/server/config.ts +++ b/x-pack/plugins/fleet/server/config.ts @@ -27,7 +27,7 @@ import { import { BULK_CREATE_MAX_ARTIFACTS_BYTES } from './services/artifacts/artifacts'; const DEFAULT_BUNDLED_PACKAGE_LOCATION = path.join(__dirname, '../target/bundled_packages'); -const DEFAULT_GPG_KEY_PATH = path.join(__dirname, '../target/keys/GPG-KEY-elasticsearch.sha1'); +const DEFAULT_GPG_KEY_PATH = path.join(__dirname, '../target/keys/GPG-KEY-elasticsearch'); const REGISTRY_SPEC_MAX_VERSION = '3.0'; diff --git a/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts b/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts index 3044755c94d5..5e8091df11db 100644 --- a/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts +++ b/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts @@ -59,9 +59,6 @@ export async function _readGpgKey(): Promise { try { key = await openpgp.readKey({ armoredKey: buffer.toString(), - config: { - preferredHashAlgorithm: openpgp.enums.hash.sha256, - }, }); } catch (e) { logger.warn(`Unable to parse GPG key from '${gpgKeyPath}': ${e}`); @@ -123,9 +120,6 @@ async function _verifyPackageSignature({ }): Promise { const signature = await openpgp.readSignature({ armoredSignature: pkgArchiveSignature, - config: { - preferredHashAlgorithm: openpgp.enums.hash.sha256, - }, }); const message = await openpgp.createMessage({ @@ -136,9 +130,6 @@ async function _verifyPackageSignature({ verificationKeys: verificationKey, signature, message, - config: { - preferredHashAlgorithm: openpgp.enums.hash.sha256, - }, }); const signatureVerificationResult = verificationResult.signatures[0]; From 4a514150d5df3f09319b9f8eead3a5d95e13486d Mon Sep 17 00:00:00 2001 From: Kyle Pollich Date: Fri, 29 Sep 2023 14:24:43 -0400 Subject: [PATCH 4/5] Update checksum --- src/dev/build/tasks/fleet/download_elastic_gpg_key.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts b/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts index 85e927001bd4..483a342ba300 100644 --- a/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts +++ b/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts @@ -15,7 +15,7 @@ import { downloadToDisk } from '../../lib'; const ARTIFACTS_URL = 'https://artifacts.elastic.co/'; const GPG_KEY_NAME = 'GPG-KEY-elasticsearch'; const GPG_KEY_SHA512 = - '84ee193cc337344d9a7da9021daf3f5ede83f5f1ab049d169f3634921529dcd096abf7a91eec7f26f3a6913e5e38f88f69a5e2ce79ad155d46edc75705a648c6'; + '62a567354286deb02baf5fc6b82ddf6c7067898723463da9ae65b132b8c6d6f064b2874e390885682376228eed166c1c82fe7f11f6c9a69f0c157029c548fa3d'; export async function downloadElasticGpgKey(pkgDir: string, log: ToolingLog) { const gpgKeyUrl = ARTIFACTS_URL + GPG_KEY_NAME; From 4a892453d7b36663fe2455738ea2bf5f71606884 Mon Sep 17 00:00:00 2001 From: Kyle Pollich Date: Mon, 2 Oct 2023 10:07:12 -0400 Subject: [PATCH 5/5] Add config flag to allow insecure verification --- .../server/services/epm/packages/package_verification.ts | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts b/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts index 5e8091df11db..92068dfcd424 100644 --- a/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts +++ b/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts @@ -130,6 +130,13 @@ async function _verifyPackageSignature({ verificationKeys: verificationKey, signature, message, + config: { + // See https://github.com/openpgpjs/openpgpjs/blob/d6145ac73eebcf66bdeb0873aa60fc49361e1aeb/src/message.js#L800-L809 + // Essentially, since the sha1 key was reformmated to sha256 as part of https://github.com/elastic/elasticsearch/issues/85876, + // there's an error around the creation timestamp for the key/signature. Passing this config allows the verification to succeed + // despite the key being reformatted. + allowInsecureVerificationWithReformattedKeys: true, + }, }); const signatureVerificationResult = verificationResult.signatures[0];