From b2a7b55f0e753656225a1c7215a08676a9c04819 Mon Sep 17 00:00:00 2001 From: Kyle Pollich Date: Mon, 2 Oct 2023 14:48:12 -0400 Subject: [PATCH] [Fleet] Prefer sha256 for reading GPG package verification key (#167149) ## Summary Ref https://github.com/elastic/elasticsearch/issues/85876 Fixes https://github.com/elastic/kibana/issues/167153 The public Elastic GPG key has been updated to use sha256 instead of sha1 for its hashing algorithm. This PR updates Fleet's reading of that key for package verification to support that hashing algorithm change. --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- src/dev/build/tasks/fleet/download_elastic_gpg_key.ts | 4 ++-- x-pack/plugins/fleet/server/config.ts | 2 +- .../services/epm/packages/package_verification.ts | 11 ++++++++++- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts b/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts index 6cd0b351c4d31..483a342ba300e 100644 --- a/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts +++ b/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts @@ -13,9 +13,9 @@ import { ToolingLog } from '@kbn/tooling-log'; import { downloadToDisk } from '../../lib'; const ARTIFACTS_URL = 'https://artifacts.elastic.co/'; -const GPG_KEY_NAME = 'GPG-KEY-elasticsearch.sha1'; +const GPG_KEY_NAME = 'GPG-KEY-elasticsearch'; const GPG_KEY_SHA512 = - '84ee193cc337344d9a7da9021daf3f5ede83f5f1ab049d169f3634921529dcd096abf7a91eec7f26f3a6913e5e38f88f69a5e2ce79ad155d46edc75705a648c6'; + '62a567354286deb02baf5fc6b82ddf6c7067898723463da9ae65b132b8c6d6f064b2874e390885682376228eed166c1c82fe7f11f6c9a69f0c157029c548fa3d'; export async function downloadElasticGpgKey(pkgDir: string, log: ToolingLog) { const gpgKeyUrl = ARTIFACTS_URL + GPG_KEY_NAME; diff --git a/x-pack/plugins/fleet/server/config.ts b/x-pack/plugins/fleet/server/config.ts index 3dbcf8a795bb1..8426e46a0814d 100644 --- a/x-pack/plugins/fleet/server/config.ts +++ b/x-pack/plugins/fleet/server/config.ts @@ -27,7 +27,7 @@ import { import { BULK_CREATE_MAX_ARTIFACTS_BYTES } from './services/artifacts/artifacts'; const DEFAULT_BUNDLED_PACKAGE_LOCATION = path.join(__dirname, '../target/bundled_packages'); -const DEFAULT_GPG_KEY_PATH = path.join(__dirname, '../target/keys/GPG-KEY-elasticsearch.sha1'); +const DEFAULT_GPG_KEY_PATH = path.join(__dirname, '../target/keys/GPG-KEY-elasticsearch'); const REGISTRY_SPEC_MAX_VERSION = '3.0'; diff --git a/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts b/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts index b4432e8919d0c..92068dfcd424d 100644 --- a/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts +++ b/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts @@ -57,7 +57,9 @@ export async function _readGpgKey(): Promise { } let key; try { - key = await openpgp.readKey({ armoredKey: buffer.toString() }); + key = await openpgp.readKey({ + armoredKey: buffer.toString(), + }); } catch (e) { logger.warn(`Unable to parse GPG key from '${gpgKeyPath}': ${e}`); } @@ -128,6 +130,13 @@ async function _verifyPackageSignature({ verificationKeys: verificationKey, signature, message, + config: { + // See https://github.com/openpgpjs/openpgpjs/blob/d6145ac73eebcf66bdeb0873aa60fc49361e1aeb/src/message.js#L800-L809 + // Essentially, since the sha1 key was reformmated to sha256 as part of https://github.com/elastic/elasticsearch/issues/85876, + // there's an error around the creation timestamp for the key/signature. Passing this config allows the verification to succeed + // despite the key being reformatted. + allowInsecureVerificationWithReformattedKeys: true, + }, }); const signatureVerificationResult = verificationResult.signatures[0];