diff --git a/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts b/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts index 6cd0b351c4d31..483a342ba300e 100644 --- a/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts +++ b/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts @@ -13,9 +13,9 @@ import { ToolingLog } from '@kbn/tooling-log'; import { downloadToDisk } from '../../lib'; const ARTIFACTS_URL = 'https://artifacts.elastic.co/'; -const GPG_KEY_NAME = 'GPG-KEY-elasticsearch.sha1'; +const GPG_KEY_NAME = 'GPG-KEY-elasticsearch'; const GPG_KEY_SHA512 = - '84ee193cc337344d9a7da9021daf3f5ede83f5f1ab049d169f3634921529dcd096abf7a91eec7f26f3a6913e5e38f88f69a5e2ce79ad155d46edc75705a648c6'; + '62a567354286deb02baf5fc6b82ddf6c7067898723463da9ae65b132b8c6d6f064b2874e390885682376228eed166c1c82fe7f11f6c9a69f0c157029c548fa3d'; export async function downloadElasticGpgKey(pkgDir: string, log: ToolingLog) { const gpgKeyUrl = ARTIFACTS_URL + GPG_KEY_NAME; diff --git a/x-pack/plugins/fleet/server/config.ts b/x-pack/plugins/fleet/server/config.ts index 3dbcf8a795bb1..8426e46a0814d 100644 --- a/x-pack/plugins/fleet/server/config.ts +++ b/x-pack/plugins/fleet/server/config.ts @@ -27,7 +27,7 @@ import { import { BULK_CREATE_MAX_ARTIFACTS_BYTES } from './services/artifacts/artifacts'; const DEFAULT_BUNDLED_PACKAGE_LOCATION = path.join(__dirname, '../target/bundled_packages'); -const DEFAULT_GPG_KEY_PATH = path.join(__dirname, '../target/keys/GPG-KEY-elasticsearch.sha1'); +const DEFAULT_GPG_KEY_PATH = path.join(__dirname, '../target/keys/GPG-KEY-elasticsearch'); const REGISTRY_SPEC_MAX_VERSION = '3.0'; diff --git a/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts b/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts index b4432e8919d0c..92068dfcd424d 100644 --- a/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts +++ b/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts @@ -57,7 +57,9 @@ export async function _readGpgKey(): Promise { } let key; try { - key = await openpgp.readKey({ armoredKey: buffer.toString() }); + key = await openpgp.readKey({ + armoredKey: buffer.toString(), + }); } catch (e) { logger.warn(`Unable to parse GPG key from '${gpgKeyPath}': ${e}`); } @@ -128,6 +130,13 @@ async function _verifyPackageSignature({ verificationKeys: verificationKey, signature, message, + config: { + // See https://github.com/openpgpjs/openpgpjs/blob/d6145ac73eebcf66bdeb0873aa60fc49361e1aeb/src/message.js#L800-L809 + // Essentially, since the sha1 key was reformmated to sha256 as part of https://github.com/elastic/elasticsearch/issues/85876, + // there's an error around the creation timestamp for the key/signature. Passing this config allows the verification to succeed + // despite the key being reformatted. + allowInsecureVerificationWithReformattedKeys: true, + }, }); const signatureVerificationResult = verificationResult.signatures[0];