[Elastic Agent] Embbed the PGP key in the binary.

[ph]

When the Elastic Agent download a binary we also download the PGP key and verify the downloaded artifact with it. Instead of downloading the artifact we should bake the PGP in the elastic agent binary and use it to verify the artifact.

Things that I think we need to do:

• Allow the Elastic Agent to use that PGP key instead of file.
• Disable downloading of the PGP key.
• Maybe special case for testing?

[elasticmachine]

Pinging @elastic/ingest-management (Team:Ingest Management)

[ph]

@mgreau Do you know if we can access to that PGP key in the release manager so we could bake it in the executable?

[ph]

@scunningham For linking.

[ph]

As @scunningham told me we could just embed it directly in the code.

[ph]

@michalpristas Looking at the code this looks like a low effort?

@mgreau How often the PGP change?

[michalpristas]

should not be complicated, not sure what packaging changes are required.
what in case you build locally without a key, should we skip PGP verification?

[ph]

@michalpristas I think it need investigation this might not be trivial because we package filebeat and metricbeat in the elastic-agent distribution. Maybe sync with @blakerouse here.

[mgreau]

As explained on the website, the key is available at https://artifacts.elastic.co/GPG-KEY-elasticsearch, so you can download it at build time if you want it to be embedded. There is no reason to change it, but, if this key is embedded, I would recommend having an option for using another key in case we have to make a change for security reasons.

[scunningham]

I would be careful with adding an option to using another key on the endpoint. We would have to defend against an escalation attack where an attacker drops a fake key in the right place and fools the agent into pulling down malicious payloads and executing with privileges. It is frankly safer to hard code the the key in the binary itself, which is signed. There are ways to secure an optional key, but we would have to work to extend trust cleanly.

[michalpristas]

i like the idea of baking it in from official site at the build time.
my idea here is that if PGP is not there signatures will not be required and everything passes a check (we have one more check for sha512 but this is a simple one more like a sane check)

so if you want to test something locally without checking signature you just build the agent without a key and you're good to go.
@scunningham any security concern about this strategy?

[scunningham]

Pulling it down from a trusted website at build time seems very reasonable.  Lack of a key is fine for debug as long as we have some safeguards against that accidentally getting into production.  I would worry that a build mistake would leave the shields down on the Death Star.

[michalpristas]

combination of is pgp present and is it missing on purpose makes sense to me and seems reasonable.

[ph]

I have also some concerns about having it empty, I think it should be an Opt in choice, We should be verbose that this an "debug" build at run time and we could add an assert for the packaging that this should not be a debug build?

[scunningham]

I'd prefer as PH described. It should be hard to accidentally build and release an agent that does not have proper key material in place.

[michalpristas]

Does strategy i took here look ok? #19480
By default i packs in PGP but when you specify DEV=true (we can change to DEBUG or whatever else) it is omited and let's you test agent without requiring packages to be signed.

[michalpristas]

Closing PGP included as in #19480