-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support package signatures #760
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
testdata/generated/package-zip.json
Outdated
@@ -19,6 +19,7 @@ | |||
"crm", | |||
"azure" | |||
], | |||
"signature": "e16ddaf4f91df524b27bf4f2e4b1ac09", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure about the best option, but have you considered providing a download path instead?
"signature": "e16ddaf4f91df524b27bf4f2e4b1ac09", | |
"signature": "/epr/example/example-1.0.1.zip.sig", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about this, but it means that Kibana will have to pull another file (another GET call). Not sure which approach is preferred.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed, used signature_path
.
@@ -0,0 +1 @@ | |||
e16ddaf4f91df524b27bf4f2e4b1ac09 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this the final format of the signature? What kind of hash is this one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
md5(elastic)
It's just a mock as the EPR doesn't enforce any hash form, it will depend on the internal logic on the CI side, unless we want to document and define it also here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, no need to enter into details here, but I am wondering about the more convenient form to distribute different signatures (also related to my other question about providing a download path). For example gpg signatures are quite longer and usually distributed as files. Would we still want to include them in the package index?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is a similar problem we had with template
vs template_path
in data stream's manifest and we ended up with template_path
as these files are long.
Definitely a signature_path
would be more human readable than JSON index with signature blobs.
I will adjust the implementation then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed, used signature_path
.
Back to draft as it didn't expose signature files as static resources. |
Issue: #728
This PR introduces support for package signatures. A signature file will be a simple hash and will be exposed through the API.