Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove PGP signature verification skip for DEV builds #3590

Merged

Conversation

AndersonQ
Copy link
Member

What does this PR do?

Remove PGP signature verification skip for DEV builds

Why is it important?

It's not necessary anymore and prevents the PGP signature verification being skipped on a production build if it is ever, by mistake, produced with DEV=true.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • [ ] I have added an entry in ./changelog/fragments using the changelog tool
  • [ ] I have added an integration test or an E2E test

How to test this PR locally

Produce a build with DEV=true, upgrade (actually downgrade it) it, check there is a log like Verification with PGP[%d] successful|faied

Related issues

Logs

TODO

Questions to ask yourself

  • How are we going to support this in production?
  • How are we going to measure its adoption?
  • How are we going to debug this?
  • What are the metrics I should take care of?
  • ...

@AndersonQ AndersonQ added enhancement New feature or request Team:Elastic-Agent Label for the Agent team skip-changelog backport-v8.11.0 Automated backport with mergify labels Oct 12, 2023
@AndersonQ AndersonQ self-assigned this Oct 12, 2023
@elasticmachine
Copy link
Contributor

elasticmachine commented Oct 12, 2023

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-10-19T15:52:38.492+0000

  • Duration: 27 min 30 sec

Test stats 🧪

Test Results
Failed 0
Passed 6541
Skipped 59
Total 6600

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages.

  • run integration tests : Run the Elastic Agent Integration tests.

  • run end-to-end tests : Generate the packages and run the E2E Tests.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@mergify
Copy link
Contributor

mergify bot commented Oct 12, 2023

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 3589-not-skip-pgp-signature-verification upstream/3589-not-skip-pgp-signature-verification
git merge upstream/main
git push upstream 3589-not-skip-pgp-signature-verification

@AndersonQ AndersonQ force-pushed the 3589-not-skip-pgp-signature-verification branch from 5e23fbd to 37e7f48 Compare October 12, 2023 14:54
@mergify
Copy link
Contributor

mergify bot commented Oct 13, 2023

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 3589-not-skip-pgp-signature-verification upstream/3589-not-skip-pgp-signature-verification
git merge upstream/main
git push upstream 3589-not-skip-pgp-signature-verification

@AndersonQ AndersonQ force-pushed the 3589-not-skip-pgp-signature-verification branch from d543bfa to 173ac99 Compare October 13, 2023 14:08
@elasticmachine
Copy link
Contributor

elasticmachine commented Oct 13, 2023

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 98.81% (83/84) 👍
Files 66.997% (203/303) 👍
Classes 65.946% (366/555) 👍
Methods 53.241% (1158/2175) 👍 0.157
Lines 39.558% (13627/34448) 👍 0.063
Conditionals 100.0% (0/0) 💚

@AndersonQ
Copy link
Member Author

buildkite test this

@AndersonQ AndersonQ marked this pull request as ready for review October 14, 2023 10:43
@AndersonQ AndersonQ requested a review from a team as a code owner October 14, 2023 10:43
@AndersonQ AndersonQ requested review from ycombinator and faec October 14, 2023 10:43
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

@@ -0,0 +1,176 @@
# Signing Elastic Agent artifacts

This doc covers generating a key, exporting the public key, signing a file and verifying it using GPG as well as pure Go.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️

Copy link
Contributor

@michalpristas michalpristas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

havent tested this yet, but it looks good. i like the refactor.
the only downside of this as an issue is losing the abilty to test upgrading to locally built snapshot, but with the use of newly added flags we will not losing it entirely.

@AndersonQ
Copy link
Member Author

havent tested this yet, but it looks good. i like the refactor. the only downside of this as an issue is losing the abilty to test upgrading to locally built snapshot, but with the use of newly added flags with not losing it entirely.

Yes, it's an known issue. The alternative is as you said, skip the verification with the cli flag or sing the local build and pass in the public pgp key. That's also one of the reasons I added the how-to doc

@AndersonQ
Copy link
Member Author

/test

Copy link
Contributor

@michalpristas michalpristas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems to work

@AndersonQ AndersonQ enabled auto-merge (squash) October 18, 2023 09:27
@AndersonQ AndersonQ marked this pull request as draft October 19, 2023 15:04
auto-merge was automatically disabled October 19, 2023 15:04

Pull request was converted to draft

@elastic-sonarqube
Copy link

@AndersonQ AndersonQ marked this pull request as ready for review October 19, 2023 16:42
@AndersonQ AndersonQ enabled auto-merge (squash) October 19, 2023 16:46
@AndersonQ AndersonQ merged commit e43be2a into elastic:main Oct 19, 2023
7 of 8 checks passed
mergify bot pushed a commit that referenced this pull request Oct 19, 2023
* remove PGP signature verification skip for DEV builds
* create pgptest package to sign and give the public key to verify the signature
* fix tests that relied on skipping the PGP verification
* add PGP/GPG how-to on docs
* add test for VerifySHA512HashWithCleanup

(cherry picked from commit e43be2a)

# Conflicts:
#	internal/pkg/agent/application/upgrade/artifact/download/fs/verifier.go
#	internal/pkg/agent/application/upgrade/artifact/download/http/verifier.go
@AndersonQ AndersonQ deleted the 3589-not-skip-pgp-signature-verification branch October 23, 2023 14:35
AndersonQ added a commit to AndersonQ/elastic-agent that referenced this pull request Oct 23, 2023
* remove PGP signature verification skip for DEV builds
* create pgptest package to sign and give the public key to verify the signature
* fix tests that relied on skipping the PGP verification
* add PGP/GPG how-to on docs
* add test for VerifySHA512HashWithCleanup

(cherry picked from commit e43be2a)

# Conflicts:
#	internal/pkg/agent/application/upgrade/artifact/download/fs/verifier.go
#	internal/pkg/agent/application/upgrade/artifact/download/http/verifier.go
AndersonQ added a commit to AndersonQ/elastic-agent that referenced this pull request Oct 23, 2023
* remove PGP signature verification skip for DEV builds
* create pgptest package to sign and give the public key to verify the signature
* fix tests that relied on skipping the PGP verification
* add PGP/GPG how-to on docs
* add test for VerifySHA512HashWithCleanup

(cherry picked from commit e43be2a)
AndersonQ added a commit to AndersonQ/elastic-agent that referenced this pull request Oct 23, 2023
* remove PGP signature verification skip for DEV builds
* create pgptest package to sign and give the public key to verify the signature
* fix tests that relied on skipping the PGP verification
* add PGP/GPG how-to on docs
* add test for VerifySHA512HashWithCleanup

(cherry picked from commit e43be2a)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-v8.11.0 Automated backport with mergify enhancement New feature or request skip-changelog Team:Elastic-Agent Label for the Agent team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Remove pgp verification skip for dev builds
3 participants