From 8ceef0584c8a6e0164188ece8ca59763e350bf9f Mon Sep 17 00:00:00 2001 From: Kyle Pollich Date: Mon, 2 Oct 2023 14:48:12 -0400 Subject: [PATCH] [Fleet] Prefer sha256 for reading GPG package verification key (#167149) ## Summary Ref https://github.com/elastic/elasticsearch/issues/85876 Fixes https://github.com/elastic/kibana/issues/167153 The public Elastic GPG key has been updated to use sha256 instead of sha1 for its hashing algorithm. This PR updates Fleet's reading of that key for package verification to support that hashing algorithm change. --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit b2a7b55f0e753656225a1c7215a08676a9c04819) --- src/dev/build/tasks/fleet/download_elastic_gpg_key.ts | 4 ++-- x-pack/plugins/fleet/server/config.ts | 2 +- .../services/epm/packages/package_verification.ts | 11 ++++++++++- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts b/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts index 6cd0b351c4d31..483a342ba300e 100644 --- a/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts +++ b/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts @@ -13,9 +13,9 @@ import { ToolingLog } from '@kbn/tooling-log'; import { downloadToDisk } from '../../lib'; const ARTIFACTS_URL = 'https://artifacts.elastic.co/'; -const GPG_KEY_NAME = 'GPG-KEY-elasticsearch.sha1'; +const GPG_KEY_NAME = 'GPG-KEY-elasticsearch'; const GPG_KEY_SHA512 = - '84ee193cc337344d9a7da9021daf3f5ede83f5f1ab049d169f3634921529dcd096abf7a91eec7f26f3a6913e5e38f88f69a5e2ce79ad155d46edc75705a648c6'; + '62a567354286deb02baf5fc6b82ddf6c7067898723463da9ae65b132b8c6d6f064b2874e390885682376228eed166c1c82fe7f11f6c9a69f0c157029c548fa3d'; export async function downloadElasticGpgKey(pkgDir: string, log: ToolingLog) { const gpgKeyUrl = ARTIFACTS_URL + GPG_KEY_NAME; diff --git a/x-pack/plugins/fleet/server/config.ts b/x-pack/plugins/fleet/server/config.ts index dea1852c5d8f4..60d62c099498e 100644 --- a/x-pack/plugins/fleet/server/config.ts +++ b/x-pack/plugins/fleet/server/config.ts @@ -27,7 +27,7 @@ import { import { BULK_CREATE_MAX_ARTIFACTS_BYTES } from './services/artifacts/artifacts'; const DEFAULT_BUNDLED_PACKAGE_LOCATION = path.join(__dirname, '../target/bundled_packages'); -const DEFAULT_GPG_KEY_PATH = path.join(__dirname, '../target/keys/GPG-KEY-elasticsearch.sha1'); +const DEFAULT_GPG_KEY_PATH = path.join(__dirname, '../target/keys/GPG-KEY-elasticsearch'); export const config: PluginConfigDescriptor = { exposeToBrowser: { diff --git a/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts b/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts index b4432e8919d0c..92068dfcd424d 100644 --- a/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts +++ b/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts @@ -57,7 +57,9 @@ export async function _readGpgKey(): Promise { } let key; try { - key = await openpgp.readKey({ armoredKey: buffer.toString() }); + key = await openpgp.readKey({ + armoredKey: buffer.toString(), + }); } catch (e) { logger.warn(`Unable to parse GPG key from '${gpgKeyPath}': ${e}`); } @@ -128,6 +130,13 @@ async function _verifyPackageSignature({ verificationKeys: verificationKey, signature, message, + config: { + // See https://github.com/openpgpjs/openpgpjs/blob/d6145ac73eebcf66bdeb0873aa60fc49361e1aeb/src/message.js#L800-L809 + // Essentially, since the sha1 key was reformmated to sha256 as part of https://github.com/elastic/elasticsearch/issues/85876, + // there's an error around the creation timestamp for the key/signature. Passing this config allows the verification to succeed + // despite the key being reformatted. + allowInsecureVerificationWithReformattedKeys: true, + }, }); const signatureVerificationResult = verificationResult.signatures[0];