Remove PGP signature verification skip for DEV builds #3590

AndersonQ · 2023-10-12T06:44:01Z

What does this PR do?

Remove PGP signature verification skip for DEV builds

Why is it important?

It's not necessary anymore and prevents the PGP signature verification being skipped on a production build if it is ever, by mistake, produced with DEV=true.

Checklist

My code follows the style guidelines of this project
I have commented my code, particularly in hard-to-understand areas
~~[ ] I have made corresponding changes to the documentation~~
~~[ ] I have made corresponding change to the default configuration files~~
~~[ ] I have added tests that prove my fix is effective or that my feature works~~
~~[ ] I have added an entry in ./changelog/fragments using the changelog tool~~
~~[ ] I have added an integration test or an E2E test~~

How to test this PR locally

Produce a build with DEV=true, upgrade (actually downgrade it) it, check there is a log like Verification with PGP[%d] successful|faied

Related issues

Closes Remove pgp verification skip for dev builds #3589

Logs

TODO

Questions to ask yourself

How are we going to support this in production?
How are we going to measure its adoption?
How are we going to debug this?
What are the metrics I should take care of?
...

elasticmachine · 2023-10-12T06:51:59Z

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

Start Time: 2023-10-19T15:52:38.492+0000
Duration: 27 min 30 sec

Test stats 🧪

Test	Results
Failed	0
Passed	6541
Skipped	59
Total	6600

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

/test : Re-trigger the build.
/package : Generate the packages.
run integration tests : Run the Elastic Agent Integration tests.
run end-to-end tests : Generate the packages and run the E2E Tests.
run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

mergify · 2023-10-12T10:03:56Z

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 3589-not-skip-pgp-signature-verification upstream/3589-not-skip-pgp-signature-verification
git merge upstream/main
git push upstream 3589-not-skip-pgp-signature-verification

mergify · 2023-10-13T12:35:36Z

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 3589-not-skip-pgp-signature-verification upstream/3589-not-skip-pgp-signature-verification
git merge upstream/main
git push upstream 3589-not-skip-pgp-signature-verification

elasticmachine · 2023-10-13T14:32:13Z

🌐 Coverage report

Name	Metrics % (`covered/total`)	Diff
Packages	98.81% (`83/84`)	👍
Files	66.997% (`203/303`)	👍
Classes	65.946% (`366/555`)	👍
Methods	53.241% (`1158/2175`)	👍 0.157
Lines	39.558% (`13627/34448`)	👍 0.063
Conditionals	100.0% (`0/0`)	💚

AndersonQ · 2023-10-13T17:13:20Z

buildkite test this

elasticmachine · 2023-10-14T10:43:23Z

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

michalpristas · 2023-10-16T11:56:36Z

docs/pgp-sign-verify-artifact.md

@@ -0,0 +1,176 @@
+# Signing Elastic Agent artifacts
+
+This doc covers generating a key, exporting the public key, signing a file and verifying it using GPG as well as pure Go.


michalpristas

havent tested this yet, but it looks good. i like the refactor.
the only downside of this as an issue is losing the abilty to test upgrading to locally built snapshot, but with the use of newly added flags we will not losing it entirely.

AndersonQ · 2023-10-16T14:44:23Z

havent tested this yet, but it looks good. i like the refactor. the only downside of this as an issue is losing the abilty to test upgrading to locally built snapshot, but with the use of newly added flags with not losing it entirely.

Yes, it's an known issue. The alternative is as you said, skip the verification with the cli flag or sing the local build and pass in the public pgp key. That's also one of the reasons I added the how-to doc

AndersonQ · 2023-10-17T10:19:22Z

/test

michalpristas

seems to work

elastic-sonarqube · 2023-10-19T16:05:32Z

SonarQube Quality Gate

0 Bugs
0 Vulnerabilities
0 Security Hotspots
2 Code Smells

40.0% Coverage
1.7% Duplication

* remove PGP signature verification skip for DEV builds * create pgptest package to sign and give the public key to verify the signature * fix tests that relied on skipping the PGP verification * add PGP/GPG how-to on docs * add test for VerifySHA512HashWithCleanup (cherry picked from commit e43be2a) # Conflicts: # internal/pkg/agent/application/upgrade/artifact/download/fs/verifier.go # internal/pkg/agent/application/upgrade/artifact/download/http/verifier.go

* remove PGP signature verification skip for DEV builds * create pgptest package to sign and give the public key to verify the signature * fix tests that relied on skipping the PGP verification * add PGP/GPG how-to on docs * add test for VerifySHA512HashWithCleanup (cherry picked from commit e43be2a)

AndersonQ added enhancement New feature or request Team:Elastic-Agent Label for the Agent team skip-changelog backport-v8.11.0 Automated backport with mergify labels Oct 12, 2023

AndersonQ self-assigned this Oct 12, 2023

AndersonQ force-pushed the 3589-not-skip-pgp-signature-verification branch from 5e23fbd to 37e7f48 Compare October 12, 2023 14:54

AndersonQ added 9 commits October 13, 2023 16:06

remove PGP signature verification skip for DEV builds

d2d8d3f

TestFetchVerify works

849f2ab

readme

41abe87

fix checks

59a0bb7

create pgptest package and fix broken tests

b8b562b

move PGP/GPG how to docs and add a Go section

f849207

add headers

edaf5b5

use filepath

278b50e

refactor and fix tests

173ac99

AndersonQ force-pushed the 3589-not-skip-pgp-signature-verification branch from d543bfa to 173ac99 Compare October 13, 2023 14:08

several small fixes and improvements

b500c01

AndersonQ marked this pull request as ready for review October 14, 2023 10:43

AndersonQ requested a review from a team as a code owner October 14, 2023 10:43

AndersonQ requested review from ycombinator and faec October 14, 2023 10:43

pierrehilbert requested a review from michalpristas October 14, 2023 15:57

michalpristas reviewed Oct 16, 2023

View reviewed changes

linter fixes

fb7de2e

add nolint rules

d35055d

AndersonQ requested a review from michalpristas October 17, 2023 10:22

michalpristas approved these changes Oct 18, 2023

View reviewed changes

AndersonQ enabled auto-merge (squash) October 18, 2023 09:27

AndersonQ marked this pull request as draft October 19, 2023 15:04

auto-merge was automatically disabled October 19, 2023 15:04
Pull request was converted to draft

add test for VerifySHA512HashWithCleanup

80e6f0f

AndersonQ marked this pull request as ready for review October 19, 2023 16:42

AndersonQ enabled auto-merge (squash) October 19, 2023 16:46

AndersonQ merged commit e43be2a into elastic:main Oct 19, 2023
20 of 21 checks passed

mergify bot mentioned this pull request Oct 19, 2023

[8.11](backport #3590) Remove PGP signature verification skip for DEV builds #3638

Closed

AndersonQ deleted the 3589-not-skip-pgp-signature-verification branch October 23, 2023 14:35

AndersonQ mentioned this pull request Feb 13, 2024

Verifier does not honor proxy settings #4237

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove PGP signature verification skip for DEV builds #3590

Remove PGP signature verification skip for DEV builds #3590

AndersonQ commented Oct 12, 2023

elasticmachine commented Oct 12, 2023 •

edited

Loading

Build stats

Test stats 🧪

mergify bot commented Oct 12, 2023

mergify bot commented Oct 13, 2023

elasticmachine commented Oct 13, 2023 •

edited

Loading

AndersonQ commented Oct 13, 2023

elasticmachine commented Oct 14, 2023

michalpristas Oct 16, 2023

michalpristas left a comment •

edited

Loading

AndersonQ commented Oct 16, 2023

AndersonQ commented Oct 17, 2023

michalpristas left a comment

elastic-sonarqube bot commented Oct 19, 2023

		@@ -0,0 +1,176 @@
		# Signing Elastic Agent artifacts

		This doc covers generating a key, exporting the public key, signing a file and verifying it using GPG as well as pure Go.

Remove PGP signature verification skip for DEV builds #3590

Remove PGP signature verification skip for DEV builds #3590

Conversation

AndersonQ commented Oct 12, 2023

What does this PR do?

Why is it important?

Checklist

How to test this PR locally

Related issues

Logs

Questions to ask yourself

elasticmachine commented Oct 12, 2023 • edited Loading

💚 Build Succeeded

Build stats

Test stats 🧪

💚 Flaky test report

🤖 GitHub comments

mergify bot commented Oct 12, 2023

mergify bot commented Oct 13, 2023

elasticmachine commented Oct 13, 2023 • edited Loading

🌐 Coverage report

AndersonQ commented Oct 13, 2023

elasticmachine commented Oct 14, 2023

michalpristas Oct 16, 2023

Choose a reason for hiding this comment

michalpristas left a comment • edited Loading

Choose a reason for hiding this comment

AndersonQ commented Oct 16, 2023

AndersonQ commented Oct 17, 2023

michalpristas left a comment

Choose a reason for hiding this comment

elastic-sonarqube bot commented Oct 19, 2023

elasticmachine commented Oct 12, 2023 •

edited

Loading

elasticmachine commented Oct 13, 2023 •

edited

Loading

michalpristas left a comment •

edited

Loading