[Request][Fleet] Package signatures documentation #2005
Comments
hop-dev
added
Team:Docs
|
@dedemorton Would it be possible to decide on the link location of this documentation before we write it so that I can add the link to the UI? If not I can just link to the fleet docs homepage for now but would be useful to add the proper link. |
|
Yes, I can add a placeholder topic like this: #2024. I'm a little conflicted because I think it would be nice to have the package signatures page in the same place where the packages are documented. But because the next docs system doesn't have versioning yet, all the topics about managing integrations live in the Fleet/Agent guide. IMO it's not a great user experience until all the docs are in the same place. Do you have a preference? I'm assuming the docs link service simply verifies the link and doesn't care where the content lives. Let me know what you think. |
Hi @dedemorton , for us it doesn't matter where the content lives, currently all our doc links go to |
|
@hop-dev The topic in main is live now: https://www.elastic.co/guide/en/fleet/master/package-signatures.html |
|
@dedemorton Hi DeDe, I recently learned that package storage v2 will need to be delivered in order to enable this feature (https://github.com/elastic/ingest-dev/issues/1040). The ecosystem team plans to "flip the switch" in 8.5 rather than 8.4. Based on this info, I think we can de-prioritize the docs work accordingly (if you have other items on your plate). Note that when the switch is flipped, it will still kick in for 8.4 Kibana. |
|
@jen-huang That's good to know! I guess that means I should comment out the file include so that the new topic does not get published for 8.4, correct? |
|
@dedemorton Yes I think that would be good to do, once it is active we can still turn on the topic for 8.4, right? |
|
@jen-huang Yup. I just need to know when the code is merged into 8.4 so we don't break the doc link checking. Edited: If the code still exists behind a feature flag and the doc link is needed, we can hide the topic like this rather than commenting it out: #2052 |
|
@dedemorton 👍 Hiding seems like the best option in this case |
|
Changing the target release for these docs to 8.5. Sounds like we will need to backport this to 8.4 later, too? |
|
@dedemorton Release of the registry that contains signatures is still pending. Yes, we need to backport to 8.4 whenever it goes live. I'll assign this to myself as well and add it to our sprint so that we don't miss going live with the docs. |
Description
As part of elastic/kibana#133822 we are adding package signature verification to Kibana.
This is the same signing that we use for our code releases. e.g elastic binaries. Package signatures prevent attackers from modifying package content, when a package is downloaded, Kibana verifies the packages signature against Elastics public key meaning the package content can be truested.
If a user tries to install a package which fails verification, they are presented with a modal which gives them the option to force install.
The original issue has some more details about why package signing is useful elastic/package-spec#46
We need some content for the learn more link from the designs:
https://user-images.githubusercontent.com/6766512/172449124-5c50b54b-bb23-4de6-87a1-bfc69915743b.png
https://user-images.githubusercontent.com/6766512/172449239-c6d7e30a-5e3e-4fc6-b19a-2e74675782d2.png
Collaboration
I am happy to have a stab at writing the document but I could maybe do with a chat with someone about the ideal structure/content
Contact Person: @hop-dev
Suggested Target Release
8.4
The text was updated successfully, but these errors were encountered: