TestFetchVerify works

internal/pkg/agent/application/upgrade/artifact/download/fs/testdata/drop/elastic-agent-8.0.0-darwin-x86_64.tar.gz.asc

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQGzBAABCgAdFiEE81a455Doc5DWexOcF4e6ez4rqzAFAmUn7TsACgkQF4e6ez4r
+qzDcIgwArpuXDex9aisWFWkXjCfjhJdrTTXr3wv8W68NeFsAaazLlvsWPxdol1db
+FeKFL+P/P/PhlTvdkZw9xMyXoVRWQXJ2p2jVjV0Wq2SCtbbjdrGjQ4OrchgE9FW7
+onWxqV8RjzPyaMwpDWWtHKgxhQeLP5yXhWm6RXHvBLZ5mqbTCuIq2Q4sijEd6IFD
+9JoAA276tqyKGOsPZ1QzaPUFF69B9QLcWasEuNFf5ytMVFfTcMl6/HYDPO7ErhJx
+E1hnKGIc5rrMghL0LzaVLGYZUtnQwru02ZA0omXzEv1uYgqmZl75g9qHk2Cu2V5W
+0qbg9OtUKOkJ1sODvsVv8O40rVazdZTgL2ifNLi2wFwR3syMdHCih2aKMcPDPzt3
+Q4q0zvsxuR9PGsv5+8zze74iC3oZSvF8h36XGjJuyjEFORUpcWNGDmhsC6l7ql5W
+rEbIPZ19j3r1M4yHG/ptBmrwRnQz9RKFnwTO9ME/5eBVumPLUD5kAcYXjvAFYQI5
+qEc7okL5
+=+nvi
+-----END PGP SIGNATURE-----

internal/pkg/agent/application/upgrade/artifact/download/fs/testdata/drop/beat-8.0.0-darwin-x86_64.tar.gz.sha512 → internal/pkg/agent/application/upgrade/artifact/download/fs/testdata/drop/elastic-agent-8.0.0-darwin-x86_64.tar.gz.sha512

@@ -1 +1 @@
-9af9aa016f3349aa248034629e4336ca2f4d31317bfb8c9a23a9d924c18969cf43ad93727e784da010a272690b2b5ce4c4ded3a5d2039e4408e93e1e18d113db  beat-8.0.0-darwin-x86_64.tar.gz
+9af9aa016f3349aa248034629e4336ca2f4d31317bfb8c9a23a9d924c18969cf43ad93727e784da010a272690b2b5ce4c4ded3a5d2039e4408e93e1e18d113db  elastic-agent-8.0.0-darwin-x86_64.tar.gz

internal/pkg/agent/application/upgrade/artifact/download/fs/testdata/drop/public-key.pgp

@@ -0,0 +1,40 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGUn7JEBDADH0iBdohpZIQY7QyBz9Hl68b7fq0zoFcB4HTDDMQD1ouDQfPwg
+Frpr/ViNNHsye1QfrUWXN8FQfKztqHtUHeM8ggdSvhYYGaDtVSuVakoNNz3Z3+kD
+YhwH0byZrE2MiCKExtgQYWBIDd1TeCMSOgYcQPAXPqQBwX0G1xRAY3s+eazCjaSU
+aNJtlNuAx36jEBa+X73sTh+Y/OtCSN9s75SVYu5xJ+kXkpcHNvsMJmDCZ0zsKrxT
+TMvXSU9qcczj8+wAee/1E77eR01ttrf67IjVReuVZ0OhxucVxJHOp7x9jfeGsjjn
+6uhFT0KV+VOaaRlI9wZ4AOMmAX5nroNYP/GC+SKiOvKV79+r3jyxbChqd5nWdSBN
+mO9okB72nUpGmL1NosW926MMTauR9/nP1uWB66d/pHYRop7sAbAZ7u8COoRS1wd+
+V6dtb3QUwR9LsfKd1xQfrTFVKZ4i703MN1qkq/6TqLhpwlt0+K4WN7LtkkeFivyx
+N0RLiVDzZP289ssAEQEAAbQFYXRlc3SJAc4EEwEKADgWIQTzVrjnkOhzkNZ7E5wX
+h7p7PiurMAUCZSfskQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAXh7p7
+PiurMFkbDAC0QLqwq4dZGjOqcNjj02DOM1eQcC8XUSy0w8X6gX/69wFHGM34zl4+
+IO7H6ujvkBxMHmeEU3nNsLH+WsN6Hc8JBRQZSqjySgL2am+K6XYMcP7h7VGnFR0r
+5IKbGn9zCR7xkVrkvW0T48U0fJ00X3v+GWcxcBQIu58sMmKrmzliPCDhmQ94yum8
+n8Yc1tB3DazAQEDGxtfP8/yc93sWKZ4qKPBMZUsjSSzC8a7zei/J9vJccRy/JJEl
+/mNIQx7FxObrCSSa3wXc4AEbWdq4HNZkahLvnOs4EhNR9ihWg7TtMVyBesV/rdgj
+5cgHU3erir1nSOHmrHqLydeWH4vHW4R6BYuJd6NXhsISMHO8Oerlceqmt7aex3wJ
+09ULyareJ3QMc+HWcjxxYbSLU6j5ZgCqcPz17V88W7SkXnzbPaoVAxMCf+M3a0Ib
+r+Yw6CrvWRj2+bmW8Ars6fND90nX4ZS82VnMc27kFqNYdkAE9kdlZ+L8OU70nWmT
+Clh2FhjhHKe5AY0EZSfskQEMANT+4NWxDtyExZEIvwUdegcetF3hbdHlXMmMnuPU
+vJwPhXhXJtzyX5VKRp3WCUO2TOGMKaHaNPi4XCS4QMzBEEft8C7X896QPGqanGdV
+oZ9Oc/mXNZfuOk62hP6Ifn38VIyxAcpQ11ypKJ5wFSwSvkPIdaXm1125oGIFQg+W
+51GSNz8PBuP5GavLs3L1Wp2VupJ9pOrolxGRP+t41u6rNewaktSO6eLY0o0j/FMY
+Anujnj68sS92e7TnQcaAEUsplYLrZlZI1Ly0W2QakvOUIkDq5DSsNYKypTM1rZ7s
+VYENPjHdhATsHoW1LxirBKHuoi8aANSjsofdggnxtu+sp8mk/+oZpyR78yA/+hIA
+/t/wEVgVXETTB0Y8o6n8+/U/uBHEjYGa8JJEcMbNJesQAusBXYt90N8URKHRWEcR
+L9IH3V4rmssDqgE7voHYvNKFru/socsI3WPmDnPKFWGRd7rqzlkBoqbrPiD/tRIC
+cwDqz5hm3vKqOkHqvsGqzNVp4wARAQABiQG2BBgBCgAgFiEE81a455Doc5DWexOc
+F4e6ez4rqzAFAmUn7JECGwwACgkQF4e6ez4rqzA23gv/UZTQw13urB8Hf6s5FJyz
+z5dCWT1RMW1ig7MuCe/MzRCk29zDc16y5fOo0aLzYMWsQXBrBTAXj6hx2/MYHXg0
+mUXzxrnUqM5H/b1hbx52NdwD1eR1prQIX39ifPzw+FTirD98qx04479En/561PQW
+lbWXtm1/JoaSpGIYP2gWNgb3HfHShEGPxFH39vxmP6XVz99BL+3zaHehcCUP8fbC
+Kabo/qbtNC/nZEBUVVMxEj2O9eEq9otk8K8fBzoCOQ4K0Idn+BnQ0O67x4jemunD
+JX6BGBo0WYxJNarK2sJw5+CVRK472va8U6Y+6yGyv5qu68eOZZXvkrCbDpysSIf7
+YjwhmaZuerd4oBvRKJHbbHoqgde8sviSjm6cdU+ZSHILvwEaBLwW3pTgBJAupQcV
+4Ws7fo7/6R2YWws8c4sseGqLC+XxCXk+SvrvyA02ZBY+0L6IFD6Cb8BT0uMMrLIP
+YcZ1xK3gfrp4PCg2OFj46WER5ufHP1r0zvufY7chA9tP
+=Jwiw
+-----END PGP PUBLIC KEY BLOCK-----

internal/pkg/agent/application/upgrade/artifact/download/fs/verifier.go

@@ -39,7 +39,7 @@ func (v *Verifier) Name() string {
 // location against a key stored on elastic.co website.
 func NewVerifier(log *logger.Logger, config *artifact.Config, pgp []byte) (*Verifier, error) {
 	if len(pgp) == 0 {
-		return nil, errors.New("expecting PGP but retrieved none", errors.TypeSecurity)
+		return nil, errors.New("expecting PGP key but retrieved none", errors.TypeSecurity)
 	}
 
 	client, err := config.HTTPTransportSettings.Client(

internal/pkg/agent/application/upgrade/artifact/download/fs/verifier_test.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"path"
 	"path/filepath"
 	"testing"
 	"time"
@@ -18,7 +19,6 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/elastic/elastic-agent-libs/transport/httpcommon"
-
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/upgrade/artifact"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/upgrade/artifact/download"
 	"github.com/elastic/elastic-agent/internal/pkg/release"
@@ -30,7 +30,10 @@ const (
 )
 
 var (
-	beatSpec = artifact.Artifact{Name: "Filebeat", Cmd: "filebeat", Artifact: "beat/filebeat"}
+	beatSpec = artifact.Artifact{
+		Name:     "Elastic Agent",
+		Cmd:      "elastic-agent",
+		Artifact: "beat/elastic-agent"}
 )
 
 func TestFetchVerify(t *testing.T) {
@@ -40,11 +43,14 @@ func TestFetchVerify(t *testing.T) {
 	installPath := filepath.Join("testdata", "install")
 	targetPath := filepath.Join("testdata", "download")
 	ctx := context.Background()
-	s := artifact.Artifact{Name: "Beat", Cmd: "beat", Artifact: "beats/filebeat"}
+	a := artifact.Artifact{
+		Name: "elastic-agent", Cmd: "elastic-agent", Artifact: "beats/elastic-agent"}
 	version := "8.0.0"
 
-	targetFilePath := filepath.Join(targetPath, "beat-8.0.0-darwin-x86_64.tar.gz")
-	hashTargetFilePath := filepath.Join(targetPath, "beat-8.0.0-darwin-x86_64.tar.gz.sha512")
+	filename := "elastic-agent-8.0.0-darwin-x86_64.tar.gz"
+	targetFilePath := filepath.Join(targetPath, filename)
+	hashTargetFilePath := filepath.Join(targetPath, filename+".sha512")
+	ascTargetFilePath := filepath.Join(targetPath, filename+".asc")
 
 	// cleanup
 	defer os.RemoveAll(targetPath)
@@ -60,41 +66,48 @@ func TestFetchVerify(t *testing.T) {
 		},
 	}
 
-	err := prepareFetchVerifyTests(dropPath, targetPath, targetFilePath, hashTargetFilePath)
-	assert.NoError(t, err)
+	err := prepareFetchVerifyTests(dropPath, targetPath, filename, targetFilePath, hashTargetFilePath)
+	require.NoError(t, err)
 
-	downloader := NewDownloader(config)
-	verifier, err := NewVerifier(log, config, nil)
-	assert.NoError(t, err)
+	pgp, err := os.ReadFile(path.Join(dropPath, "public-key.pgp"))
+	require.NoError(t, err, "could not read public PGP key")
+	verifier, err := NewVerifier(log, config, pgp)
+	require.NoError(t, err, "could not create the verifier")
 
 	// first download verify should fail:
 	// download skipped, as invalid package is prepared upfront
 	// verify fails and cleans download
-	err = verifier.Verify(s, version, false)
+	err = verifier.Verify(a, version, false)
 	var checksumErr *download.ChecksumMismatchError
-	assert.ErrorAs(t, err, &checksumErr)
+	require.ErrorAs(t, err, &checksumErr)
 
 	_, err = os.Stat(targetFilePath)
-	assert.True(t, os.IsNotExist(err))
+	require.True(t, os.IsNotExist(err))
 
 	_, err = os.Stat(hashTargetFilePath)
-	assert.True(t, os.IsNotExist(err))
+	require.True(t, os.IsNotExist(err))
 
 	// second one should pass
 	// download not skipped: package missing
 	// verify passes because hash is not correct
-	_, err = downloader.Download(ctx, s, version)
-	assert.NoError(t, err)
+	_, err = NewDownloader(config).Download(ctx, a, version)
+	require.NoError(t, err)
+	asc, err := os.ReadFile(filepath.Join(dropPath, filename+".asc"))
+	require.NoErrorf(t, err, "could not open .asc for copy")
+	err = os.WriteFile(ascTargetFilePath, asc, 0o600)
+	require.NoErrorf(t, err, "could not save .asc (%q) to target path (%q)",
+		filepath.Join(dropPath, filename+".asc"), ascTargetFilePath)
 
 	// file downloaded ok
 	_, err = os.Stat(targetFilePath)
-	assert.NoError(t, err)
-
+	require.NoError(t, err)
 	_, err = os.Stat(hashTargetFilePath)
-	assert.NoError(t, err)
+	require.NoError(t, err)
+	_, err = os.Stat(ascTargetFilePath)
+	require.NoError(t, err)
 
-	err = verifier.Verify(s, version, false)
-	assert.NoError(t, err)
+	err = verifier.Verify(a, version, false)
+	require.NoError(t, err)
 
 	// Bad GPG public key.
 	{
@@ -110,7 +123,7 @@ func TestFetchVerify(t *testing.T) {
 
 	// Missing .asc file.
 	{
-		err = verifier.Verify(s, version, false)
+		err = verifier.Verify(a, version, false)
 		require.Error(t, err)
 
 		// Don't delete these files when GPG validation failure.
@@ -120,10 +133,10 @@ func TestFetchVerify(t *testing.T) {
 
 	// Invalid signature.
 	{
-		err = ioutil.WriteFile(targetFilePath+".asc", []byte("bad sig"), 0o600)
+		err = os.WriteFile(targetFilePath+".asc", []byte("bad sig"), 0o600)
 		require.NoError(t, err)
 
-		err = verifier.Verify(s, version, false)
+		err = verifier.Verify(a, version, false)
 		var invalidSigErr *download.InvalidSignatureError
 		assert.ErrorAs(t, err, &invalidSigErr)
 
@@ -136,9 +149,14 @@ func TestFetchVerify(t *testing.T) {
 	}
 }
 
-func prepareFetchVerifyTests(dropPath, targetDir, targetFilePath, hashTargetFilePath string) error {
-	sourceFilePath := filepath.Join(dropPath, "beat-8.0.0-darwin-x86_64.tar.gz")
-	hashSourceFilePath := filepath.Join(dropPath, "beat-8.0.0-darwin-x86_64.tar.gz.sha512")
+func prepareFetchVerifyTests(
+	dropPath,
+	targetDir,
+	filename,
+	targetFilePath,
+	hashTargetFilePath string) error {
+	sourceFilePath := filepath.Join(dropPath, filename)
+	hashSourceFilePath := filepath.Join(dropPath, filename+".sha512")
 
 	// clean targets
 	os.Remove(targetFilePath)
@@ -160,13 +178,13 @@ func prepareFetchVerifyTests(dropPath, targetDir, targetFilePath, hashTargetFile
 	}
 	defer targretFile.Close()
 
-	hashContent, err := ioutil.ReadFile(hashSourceFilePath)
+	hashContent, err := os.ReadFile(hashSourceFilePath)
 	if err != nil {
 		return err
 	}
 
 	corruptedHash := append([]byte{1, 2, 3, 4, 5, 6}, hashContent[6:]...)
-	return ioutil.WriteFile(hashTargetFilePath, corruptedHash, 0666)
+	return os.WriteFile(hashTargetFilePath, corruptedHash, 0666)
 }
 
 func TestVerify(t *testing.T) {

internal/pkg/agent/application/upgrade/artifact/download/http/elastic_test.go

@@ -87,10 +87,7 @@ func TestDownload(t *testing.T) {
 }
 
 func TestVerify(t *testing.T) {
-	targetDir, err := ioutil.TempDir(os.TempDir(), "")
-	if err != nil {
-		t.Fatal(err)
-	}
+	targetDir := t.TempDir()
 
 	log, _ := logger.New("", false)
 	timeout := 30 * time.Second

internal/pkg/agent/application/upgrade/artifact/download/http/verifier.go

@@ -144,38 +144,6 @@ func (v *Verifier) verifyAsc(a artifact.Artifact, version string, skipDefaultKey
 	return download.VerifyPGPSignatures(v.log, fullPath, ascBytes, pgpBytes)
 }
 
-func funcName(v *Verifier, skipDefaultPgp bool, pgpSources []string) ([][]byte, error, bool) {
-	var pgpBytes [][]byte
-	if len(v.defaultKey) > 0 && !skipDefaultPgp {
-		v.log.Infof("Default PGP being appended")
-		pgpBytes = append(pgpBytes, v.defaultKey)
-	}
-
-	for _, check := range pgpSources {
-		if len(check) == 0 {
-			continue
-		}
-		raw, err := download.PgpBytesFromSource(v.log, check, &v.client)
-		if err != nil {
-			return nil, err, true
-		}
-
-		if len(raw) == 0 {
-			continue
-		}
-
-		pgpBytes = append(pgpBytes, raw)
-	}
-
-	if len(pgpBytes) == 0 {
-		// no pgp available skip verification process
-		v.log.Infof("No checks defined")
-		return nil, nil, true
-	}
-	v.log.Infof("Using %d PGP keys", len(pgpBytes))
-	return pgpBytes, nil, false
-}
-
 func (v *Verifier) composeURI(filename, artifactName string) (string, error) {
 	upstream := v.config.SourceURI
 	if !strings.HasPrefix(upstream, "http") && !strings.HasPrefix(upstream, "file") && !strings.HasPrefix(upstream, "/") {

internal/pkg/agent/application/upgrade/artifact/download/localremote/verifier.go

@@ -17,7 +17,7 @@ import (
 
 // NewVerifier creates a downloader which first checks local directory
 // and then fallbacks to remote if configured.
-func NewVerifier(log *logger.Logger, config *artifact.Config, allowEmptyPgp bool, pgp []byte) (download.Verifier, error) {
+func NewVerifier(log *logger.Logger, config *artifact.Config, pgp []byte) (download.Verifier, error) {
 	verifiers := make([]download.Verifier, 0, 3)
 
 	fsVer, err := fs.NewVerifier(log, config, pgp)
@@ -30,7 +30,7 @@ func NewVerifier(log *logger.Logger, config *artifact.Config, allowEmptyPgp bool
 	// useful for testing with a snapshot version of fleet for example
 	// try snapshot repo before official
 	if release.Snapshot() {
-		snapshotVerifier, err := snapshot.NewVerifier(log, config, allowEmptyPgp, pgp, nil)
+		snapshotVerifier, err := snapshot.NewVerifier(log, config, pgp, nil)
 		if err != nil {
 			log.Error(err)
 		} else {

internal/pkg/agent/application/upgrade/artifact/download/snapshot/verifier.go

@@ -24,7 +24,7 @@ func (v *Verifier) Name() string {
 
 // NewVerifier creates a downloader which first checks local directory
 // and then fallbacks to remote if configured.
-func NewVerifier(log *logger.Logger, config *artifact.Config, allowEmptyPgp bool, pgp []byte, versionOverride *agtversion.ParsedSemVer) (download.Verifier, error) {
+func NewVerifier(log *logger.Logger, config *artifact.Config, pgp []byte, versionOverride *agtversion.ParsedSemVer) (download.Verifier, error) {
 	cfg, err := snapshotConfig(config, versionOverride)
 	if err != nil {
 		return nil, err

internal/pkg/agent/application/upgrade/artifact/download/verifier.go

@@ -191,7 +191,7 @@ func VerifyPGPSignatures(
 	log logger, file string, asciiArmorSignature []byte, publicKeys [][]byte) error {
 	var err error
 	for i, key := range publicKeys {
-		err := VerifyPGPSignature(file, asciiArmorSignature, key)
+		err = VerifyPGPSignature(file, asciiArmorSignature, key)
 		if err == nil {
 			log.Infof("Verification with PGP[%d] successful", i)
 			return nil

internal/pkg/agent/application/upgrade/step_download.go

@@ -146,15 +146,15 @@ func newVerifier(version *agtversion.ParsedSemVer, log *logger.Logger, settings
 	pgp := release.PGP()
 
 	if !version.IsSnapshot() {
-		return localremote.NewVerifier(log, settings, allowEmptyPgp, pgp)
+		return localremote.NewVerifier(log, settings, pgp)
 	}
 
 	fsVerifier, err := fs.NewVerifier(log, settings, pgp)
 	if err != nil {
 		return nil, err
 	}
 
-	snapshotVerifier, err := snapshot.NewVerifier(log, settings, allowEmptyPgp, pgp, version)
+	snapshotVerifier, err := snapshot.NewVerifier(log, settings, pgp, version)
 	if err != nil {
 		return nil, err
 	}