-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove PGP signature verification skip for DEV builds #3590
Remove PGP signature verification skip for DEV builds #3590
Conversation
This pull request is now in conflicts. Could you fix it? 🙏
|
5e23fbd
to
37e7f48
Compare
This pull request is now in conflicts. Could you fix it? 🙏
|
d543bfa
to
173ac99
Compare
🌐 Coverage report
|
buildkite test this |
Pinging @elastic/elastic-agent (Team:Elastic-Agent) |
@@ -0,0 +1,176 @@ | |||
# Signing Elastic Agent artifacts | |||
|
|||
This doc covers generating a key, exporting the public key, signing a file and verifying it using GPG as well as pure Go. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❤️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
havent tested this yet, but it looks good. i like the refactor.
the only downside of this as an issue is losing the abilty to test upgrading to locally built snapshot, but with the use of newly added flags we will not losing it entirely.
Yes, it's an known issue. The alternative is as you said, skip the verification with the cli flag or sing the local build and pass in the public pgp key. That's also one of the reasons I added the how-to doc |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seems to work
SonarQube Quality Gate |
* remove PGP signature verification skip for DEV builds * create pgptest package to sign and give the public key to verify the signature * fix tests that relied on skipping the PGP verification * add PGP/GPG how-to on docs * add test for VerifySHA512HashWithCleanup (cherry picked from commit e43be2a) # Conflicts: # internal/pkg/agent/application/upgrade/artifact/download/fs/verifier.go # internal/pkg/agent/application/upgrade/artifact/download/http/verifier.go
* remove PGP signature verification skip for DEV builds * create pgptest package to sign and give the public key to verify the signature * fix tests that relied on skipping the PGP verification * add PGP/GPG how-to on docs * add test for VerifySHA512HashWithCleanup (cherry picked from commit e43be2a) # Conflicts: # internal/pkg/agent/application/upgrade/artifact/download/fs/verifier.go # internal/pkg/agent/application/upgrade/artifact/download/http/verifier.go
* remove PGP signature verification skip for DEV builds * create pgptest package to sign and give the public key to verify the signature * fix tests that relied on skipping the PGP verification * add PGP/GPG how-to on docs * add test for VerifySHA512HashWithCleanup (cherry picked from commit e43be2a)
* remove PGP signature verification skip for DEV builds * create pgptest package to sign and give the public key to verify the signature * fix tests that relied on skipping the PGP verification * add PGP/GPG how-to on docs * add test for VerifySHA512HashWithCleanup (cherry picked from commit e43be2a)
What does this PR do?
Remove PGP signature verification skip for DEV builds
Why is it important?
It's not necessary anymore and prevents the PGP signature verification being skipped on a production build if it is ever, by mistake, produced with
DEV=true
.Checklist
[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration files[ ] I have added tests that prove my fix is effective or that my feature works[ ] I have added an entry in./changelog/fragments
using the changelog tool[ ] I have added an integration test or an E2E testHow to test this PR locally
Produce a build with
DEV=true
, upgrade (actually downgrade it) it, check there is a log likeVerification with PGP[%d] successful|faied
Related issues
Logs
TODO
Questions to ask yourself