[Fleet] Prefer sha256 for reading GPG package verification key (elast…

…ic#167149) ## Summary Ref elastic/elasticsearch#85876 Fixes elastic#167153 The public Elastic GPG key has been updated to use sha256 instead of sha1 for its hashing algorithm. This PR updates Fleet's reading of that key for package verification to support that hashing algorithm change. --------- Co-authored-by: Kibana Machine <[email protected]> (cherry picked from commit b2a7b55)
kibanamachine · Oct 2, 2023 · 8ceef05 · 8ceef05
1 parent 3bac8d5
commit 8ceef05
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts b/src/dev/build/tasks/fleet/download_elastic_gpg_key.ts
@@ -13,9 +13,9 @@ import { ToolingLog } from '@kbn/tooling-log';
 import { downloadToDisk } from '../../lib';
 
 const ARTIFACTS_URL = 'https://artifacts.elastic.co/';
-const GPG_KEY_NAME = 'GPG-KEY-elasticsearch.sha1';
+const GPG_KEY_NAME = 'GPG-KEY-elasticsearch';
 const GPG_KEY_SHA512 =
-  '84ee193cc337344d9a7da9021daf3f5ede83f5f1ab049d169f3634921529dcd096abf7a91eec7f26f3a6913e5e38f88f69a5e2ce79ad155d46edc75705a648c6';
+  '62a567354286deb02baf5fc6b82ddf6c7067898723463da9ae65b132b8c6d6f064b2874e390885682376228eed166c1c82fe7f11f6c9a69f0c157029c548fa3d';
 
 export async function downloadElasticGpgKey(pkgDir: string, log: ToolingLog) {
   const gpgKeyUrl = ARTIFACTS_URL + GPG_KEY_NAME;

diff --git a/x-pack/plugins/fleet/server/config.ts b/x-pack/plugins/fleet/server/config.ts
@@ -27,7 +27,7 @@ import {
 import { BULK_CREATE_MAX_ARTIFACTS_BYTES } from './services/artifacts/artifacts';
 
 const DEFAULT_BUNDLED_PACKAGE_LOCATION = path.join(__dirname, '../target/bundled_packages');
-const DEFAULT_GPG_KEY_PATH = path.join(__dirname, '../target/keys/GPG-KEY-elasticsearch.sha1');
+const DEFAULT_GPG_KEY_PATH = path.join(__dirname, '../target/keys/GPG-KEY-elasticsearch');
 
 export const config: PluginConfigDescriptor = {
   exposeToBrowser: {

diff --git a/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts b/x-pack/plugins/fleet/server/services/epm/packages/package_verification.ts
@@ -57,7 +57,9 @@ export async function _readGpgKey(): Promise<openpgp.Key | undefined> {
   }
   let key;
   try {
-    key = await openpgp.readKey({ armoredKey: buffer.toString() });
+    key = await openpgp.readKey({
+      armoredKey: buffer.toString(),
+    });
   } catch (e) {
     logger.warn(`Unable to parse GPG key from '${gpgKeyPath}': ${e}`);
   }
@@ -128,6 +130,13 @@ async function _verifyPackageSignature({
     verificationKeys: verificationKey,
     signature,
     message,
+    config: {
+      // See https://github.com/openpgpjs/openpgpjs/blob/d6145ac73eebcf66bdeb0873aa60fc49361e1aeb/src/message.js#L800-L809
+      // Essentially, since the sha1 key was reformmated to sha256 as part of https://github.com/elastic/elasticsearch/issues/85876,
+      // there's an error around the creation timestamp for the key/signature. Passing this config allows the verification to succeed
+      // despite the key being reformatted.
+      allowInsecureVerificationWithReformattedKeys: true,
+    },
   });
 
   const signatureVerificationResult = verificationResult.signatures[0];