Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Fleet] Prefer sha256 for reading GPG package verification key #167149

Merged
merged 8 commits into from
Oct 2, 2023
4 changes: 2 additions & 2 deletions src/dev/build/tasks/fleet/download_elastic_gpg_key.ts
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ import { ToolingLog } from '@kbn/tooling-log';
import { downloadToDisk } from '../../lib';

const ARTIFACTS_URL = 'https://artifacts.elastic.co/';
const GPG_KEY_NAME = 'GPG-KEY-elasticsearch.sha1';
const GPG_KEY_NAME = 'GPG-KEY-elasticsearch';
const GPG_KEY_SHA512 =
'84ee193cc337344d9a7da9021daf3f5ede83f5f1ab049d169f3634921529dcd096abf7a91eec7f26f3a6913e5e38f88f69a5e2ce79ad155d46edc75705a648c6';
'62a567354286deb02baf5fc6b82ddf6c7067898723463da9ae65b132b8c6d6f064b2874e390885682376228eed166c1c82fe7f11f6c9a69f0c157029c548fa3d';

export async function downloadElasticGpgKey(pkgDir: string, log: ToolingLog) {
const gpgKeyUrl = ARTIFACTS_URL + GPG_KEY_NAME;
Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugins/fleet/server/config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ import {
import { BULK_CREATE_MAX_ARTIFACTS_BYTES } from './services/artifacts/artifacts';

const DEFAULT_BUNDLED_PACKAGE_LOCATION = path.join(__dirname, '../target/bundled_packages');
const DEFAULT_GPG_KEY_PATH = path.join(__dirname, '../target/keys/GPG-KEY-elasticsearch.sha1');
const DEFAULT_GPG_KEY_PATH = path.join(__dirname, '../target/keys/GPG-KEY-elasticsearch');

const REGISTRY_SPEC_MAX_VERSION = '3.0';

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,9 @@ export async function _readGpgKey(): Promise<openpgp.Key | undefined> {
}
let key;
try {
key = await openpgp.readKey({ armoredKey: buffer.toString() });
key = await openpgp.readKey({
armoredKey: buffer.toString(),
});
} catch (e) {
logger.warn(`Unable to parse GPG key from '${gpgKeyPath}': ${e}`);
}
Expand Down Expand Up @@ -128,6 +130,13 @@ async function _verifyPackageSignature({
verificationKeys: verificationKey,
signature,
message,
config: {
// See https://github.com/openpgpjs/openpgpjs/blob/d6145ac73eebcf66bdeb0873aa60fc49361e1aeb/src/message.js#L800-L809
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@elastic/kibana-security can you take a look?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the tag @jbudz! Using this config option is alright with us given the context. LGTM!

// Essentially, since the sha1 key was reformmated to sha256 as part of https://github.com/elastic/elasticsearch/issues/85876,
// there's an error around the creation timestamp for the key/signature. Passing this config allows the verification to succeed
// despite the key being reformatted.
allowInsecureVerificationWithReformattedKeys: true,
},
});

const signatureVerificationResult = verificationResult.signatures[0];
Expand Down
Loading