Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

elastic gpgkey unusable on modern redhat/fedora derivitives #88326

Closed
drawks opened this issue Jul 6, 2022 · 3 comments
Closed

elastic gpgkey unusable on modern redhat/fedora derivitives #88326

drawks opened this issue Jul 6, 2022 · 3 comments
Labels
>bug :Delivery/Packaging RPM and deb packaging, tar and zip archives, shell and batch scripts Team:Delivery Meta label for Delivery team

Comments

@drawks
Copy link

drawks commented Jul 6, 2022

Elasticsearch Version

Installed Plugins

No response

Java Version

bundled

OS Version

Linux localhost.localdomain 5.14.0-70.13.1.el9_0.x86_64 #1 SMP PREEMPT Tue May 17 15:53:11 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux

Problem Description

Similar to the issue in #58257 modern (version 8+) redhat derivatives reject the elastic gpg key which is used to verify rpm packages from the elastic yum/dnf repositories. Attempts to use the instructions provided fail at the step where the gpg key is imported into the system keychain:

[vagrant@localhost ~]$ sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
error: https://artifacts.elastic.co/GPG-KEY-elasticsearch: key 1 import failed.

On a hunch I tried enabling SHA-1 support per the redhat guidance:

[root@localhost ~]# update-crypto-policies --set DEFAULT:SHA1
Setting system policy to DEFAULT:SHA1
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
[root@localhost ~]# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

and the key was imported without any complaints.

similarly with the default cryptographic profile set packages from the elastic repository will not install:

[root@localhost ~]# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
[root@localhost ~]# yum install filebeat
Elasticsearch repository for 8.x packages                                                         6.9 MB/s |  12 MB     00:01
Last metadata expiration check: 0:00:04 ago on Wed Jul  6 18:51:02 2022.
Dependencies resolved.
==================================================================================================================================
 Package                       Architecture                Version                       Repository                          Size
==================================================================================================================================
Installing:
 filebeat                      x86_64                      8.3.1-1                       elasticsearch                       57 M

Transaction Summary
==================================================================================================================================
Install  1 Package

Total download size: 57 M
Installed size: 243 M
Is this ok [y/N]: y
Downloading Packages:
filebeat-8.3.1-x86_64.rpm                                                                         7.4 MB/s |  57 MB     00:07
----------------------------------------------------------------------------------------------------------------------------------
Total                                                                                             7.4 MB/s |  57 MB     00:07
Elasticsearch repository for 8.x packages                                                          16 kB/s | 1.7 kB     00:00
GPG key at https://artifacts.elastic.co/GPG-KEY-elasticsearch (0xD88E42B4) is already installed
The GPG keys listed for the "Elasticsearch repository for 8.x packages" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: filebeat-8.3.1-1.x86_64
 GPG Keys are configured as: https://artifacts.elastic.co/GPG-KEY-elasticsearch
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: GPG check FAILED

Again, enabling SHA-1 allows for the packages to install.

[root@localhost ~]# update-crypto-policies --set DEFAULT:SHA1
Setting system policy to DEFAULT:SHA1
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
[root@localhost ~]# yum install filebeat
Last metadata expiration check: 0:00:39 ago on Wed Jul  6 18:51:02 2022.
Dependencies resolved.
==================================================================================================================================
 Package                       Architecture                Version                       Repository                          Size
==================================================================================================================================
Installing:
 filebeat                      x86_64                      8.3.1-1                       elasticsearch                       57 M

Transaction Summary
==================================================================================================================================
Install  1 Package

Total size: 57 M
Installed size: 243 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] filebeat-8.3.1-x86_64.rpm: Already downloaded
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                          1/1
  Installing       : filebeat-8.3.1-1.x86_64                                                                                  1/1
  Running scriptlet: filebeat-8.3.1-1.x86_64                                                                                  1/1
  Verifying        : filebeat-8.3.1-1.x86_64                                                                                  1/1

Installed:
  filebeat-8.3.1-1.x86_64

Complete!
[root@localhost ~]# dnf install filebeat
Last metadata expiration check: 0:01:46 ago on Wed Jul  6 18:51:02 2022.
Package filebeat-8.3.1-1.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

I'm no cryptowonk, but I'm left to believe that the elastic signing key is overdue for replacement with a key which uses modern cryptographic standards

Steps to Reproduce

  1. attempt to import the gpgkey into rpm: sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
  2. observe failure
  3. enable SHA1 sudo update-crypto-policies --set DEFAULT:SHA1
  4. retry step 1 and observe success

Logs (if relevant)

Here is the dnf log showing the gpg verification failure

2022-07-06T18:51:16+0000 SUBDEBUG
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 67, in main
    return _main(base, args, cli_class, option_parser_class)
  File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 106, in _main
    return cli_run(cli, base)
  File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 130, in cli_run
    ret = resolving(cli, base)
  File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 176, in resolving
    base.do_transaction(display=displays)
  File "/usr/lib/python3.9/site-packages/dnf/cli/cli.py", line 238, in do_transaction
    self.gpgsigcheck(install_pkgs)
  File "/usr/lib/python3.9/site-packages/dnf/cli/cli.py", line 305, in gpgsigcheck
    raise dnf.exceptions.Error(_("GPG check FAILED"))
dnf.exceptions.Error: GPG check FAILED
2022-07-06T18:51:16+0000 CRITICAL Error: GPG check FAILED
@drawks drawks added >bug needs:triage Requires assignment of a team area label labels Jul 6, 2022
@drawks
Copy link
Author

drawks commented Jul 6, 2022

I think perhaps it might be possible to modify the preferences of the public key and republish with SHA1 removed from the digests.

gpg (GnuPG) 2.3.3; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa2048/D27D666CD88E42B4
     created: 2013-09-16  expires: never       usage: SC
     trust: unknown       validity: unknown
sub  rsa2048/AB6B7FCB60D31954
     created: 2013-09-16  expires: never       usage: E
[ unknown] (1). Elasticsearch (Elasticsearch Signing Key) <[email protected]>

gpg> showpref
[ unknown] (1). Elasticsearch (Elasticsearch Signing Key) <[email protected]>
     Cipher: AES256, AES192, AES, CAST5, 3DES
     AEAD:
     Digest: SHA256, SHA1, SHA384, SHA512, SHA224
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify

gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
Need the secret key to do this.

@tvernum tvernum added :Delivery/Packaging RPM and deb packaging, tar and zip archives, shell and batch scripts and removed needs:triage Requires assignment of a team area label labels Jul 11, 2022
@elasticmachine elasticmachine added the Team:Delivery Meta label for Delivery team label Jul 11, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-delivery (Team:Delivery)

@mark-vieira
Copy link
Contributor

This looks to be a duplicate of #85876. We're investigating updating our GPG key with our release team to resolve this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>bug :Delivery/Packaging RPM and deb packaging, tar and zip archives, shell and batch scripts Team:Delivery Meta label for Delivery team
Projects
None yet
Development

No branches or pull requests

4 participants