elastic · michalpristas · Sep 22, 2020 · Jun 29, 2020 · Jun 29, 2020 · Jun 29, 2020
@@ -10,10 +10,14 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"runtime"
+	"strconv"
 	"strings"
 	"time"
 
@@ -40,6 +44,7 @@ const (
 	buildDir       = "build"
 	metaDir        = "_meta"
 	snapshotEnv    = "SNAPSHOT"
+	devEnv         = "DEV"
 	configFile     = "elastic-agent.yml"
 	agentDropPath  = "AGENT_DROP_PATH"
 )
@@ -620,6 +625,23 @@ func buildVars() map[string]string {
 	isSnapshot, _ := os.LookupEnv(snapshotEnv)
 	vars["github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release.snapshot"] = isSnapshot
 
+	fetchPgp := true
+	if isDevFlag, devFound := os.LookupEnv(devEnv); devFound {
+		if isDev, err := strconv.ParseBool(isDevFlag); err == nil && isDev {
+			vars["github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release.allowEmptyPgp"] = "true"
+			fetchPgp = false
+		}
+	}
+	fmt.Println("fetching pgp", fetchPgp)
+
+	if fetchPgp {
+		pgp, err := loadPGPFromWeb()
+		if err != nil {
+			panic(err)
+		}
+		vars["github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release.escPgp"] = string(pgp)
+	}
+
 	return vars
 }
 
@@ -628,3 +650,23 @@ func injectBuildVars(m map[string]string) {
 		m[k] = v
 	}
 }
+
+func loadPGPFromWeb() (string, error) {
+	const publicKeyURI = "https://artifacts.elastic.co/GPG-KEY-elasticsearch"
+
+	resp, err := http.Get(publicKeyURI)
+	if err != nil {
+		return "", fmt.Errorf("failed loading public key: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		return "", fmt.Errorf("call to '%s' returned unsuccessful status code: %d", publicKeyURI, resp.StatusCode)
+	}
+
+	rawPgp, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+	return url.PathEscape(string(rawPgp)), nil
+}
@@ -19,6 +19,7 @@ import (
 	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/monitoring"
 	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/server"
 	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release"
 )
 
 type operatorStream struct {
@@ -56,7 +57,8 @@ func streamFactory(ctx context.Context, cfg *configuration.SettingsConfig, srv *
 
 func newOperator(ctx context.Context, log *logger.Logger, id routingKey, config *configuration.SettingsConfig, srv *server.Server, r state.Reporter, m monitoring.Monitor) (*operation.Operator, error) {
 	fetcher := downloader.NewDownloader(log, config.DownloadConfig)
-	verifier, err := downloader.NewVerifier(log, config.DownloadConfig)
+	allowEmptyPgp, pgp := release.PGP()
+	verifier, err := downloader.NewVerifier(log, config.DownloadConfig, allowEmptyPgp, pgp)
 	if err != nil {
 		return nil, errors.New(err, "initiating verifier")
 	}

@@ -30,10 +30,6 @@ type Config struct {
 	// Timeout: timeout for downloading package
 	Timeout time.Duration `json:"timeout" config:"timeout"`
 
-	// PgpFile: filepath to a public key used for verifying downloaded artifacts
-	// if not file is present elastic-agent will try to load public key from elastic.co website.
-	PgpFile string `json:"pgpfile" config:"pgpfile"`
-
 	// InstallPath: path to the directory containing installed packages
 	InstallPath string `yaml:"installPath" config:"install_path"`
 
@@ -52,7 +48,6 @@ func DefaultConfig() *Config {
 		SourceURI:       "https://artifacts.elastic.co/downloads/",
 		TargetDirectory: filepath.Join(dataPath, "downloads"),
 		Timeout:         30 * time.Second,
-		PgpFile:         filepath.Join(dataPath, "elastic.pgp"),
 		InstallPath:     filepath.Join(dataPath, "install"),
 	}
 }

@@ -14,7 +14,6 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
-	"sync"
 
 	"golang.org/x/crypto/openpgp"
 
@@ -29,15 +28,22 @@ const (
 // Verifier verifies a downloaded package by comparing with public ASC
 // file from elastic.co website.
 type Verifier struct {
-	config   *artifact.Config
-	pgpBytes []byte
+	config        *artifact.Config
+	pgpBytes      []byte
+	allowEmptyPgp bool
 }
 
 // NewVerifier create a verifier checking downloaded package on preconfigured
 // location agains a key stored on elastic.co website.
-func NewVerifier(config *artifact.Config) (*Verifier, error) {
+func NewVerifier(config *artifact.Config, allowEmptyPgp bool, pgp []byte) (*Verifier, error) {
+	if len(pgp) == 0 && !allowEmptyPgp {
+		return nil, errors.New("expecting PGP but retrieved none", errors.TypeSecurity)
+	}
+
 	v := &Verifier{
-		config: config,
+		config:        config,
+		allowEmptyPgp: allowEmptyPgp,
+		pgpBytes:      pgp,
 	}
 
 	return v, nil
@@ -58,9 +64,10 @@ func (v *Verifier) Verify(programName, version string) (bool, error) {
 		// remove bits so they can be redownloaded
 		os.Remove(fullPath)
 		os.Remove(fullPath + ".sha512")
+		return isMatch, err
 	}
 
-	return isMatch, err
+	return v.verifyAsc(filename, fullPath)
 }
 
 func (v *Verifier) verifyHash(filename, fullPath string) (bool, error) {
@@ -106,15 +113,9 @@ func (v *Verifier) verifyHash(filename, fullPath string) (bool, error) {
 }
 
 func (v *Verifier) verifyAsc(filename, fullPath string) (bool, error) {
-	var err error
-	var pgpBytesLoader sync.Once
-
-	pgpBytesLoader.Do(func() {
-		err = v.loadPGP(v.config.PgpFile)
-	})
-
-	if err != nil {
-		return false, errors.New(err, "loading PGP")
+	if len(v.pgpBytes) == 0 {
+		// no pgp available skip verification process
+		return true, nil
 	}
 
 	ascBytes, err := v.getPublicAsc(filename)
@@ -153,18 +154,3 @@ func (v *Verifier) getPublicAsc(filename string) ([]byte, error) {
 
 	return b, nil
 }
-
-func (v *Verifier) loadPGP(file string) error {
-	var err error
-
-	if file == "" {
-		return errors.New("pgp file not specified for verifier", errors.TypeConfig)
-	}
-
-	v.pgpBytes, err = ioutil.ReadFile(file)
-	if err != nil {
-		return errors.New(err, errors.TypeFilesystem)
-	}
-
-	return nil
-}
@@ -59,7 +59,7 @@ func TestFetchVerify(t *testing.T) {
 	assert.NoError(t, err)
 
 	downloader := NewDownloader(config)
-	verifier, err := NewVerifier(config)
+	verifier, err := NewVerifier(config, true, nil)
 	assert.NoError(t, err)
 
 	// first download verify should fail:
@@ -157,7 +157,7 @@ func TestVerify(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	testVerifier, err := NewVerifier(config)
+	testVerifier, err := NewVerifier(config, true, nil)
 	if err != nil {
 		t.Fatal(err)
 	}

@@ -105,7 +105,7 @@ func TestVerify(t *testing.T) {
 				t.Fatal(err)
 			}
 
-			testVerifier, err := NewVerifier(config)
+			testVerifier, err := NewVerifier(config, true, nil)
 			if err != nil {
 				t.Fatal(err)
 			}

@@ -16,7 +16,6 @@ import (
 	"os"
 	"path"
 	"strings"
-	"sync"
 
 	"golang.org/x/crypto/openpgp"
 
@@ -32,20 +31,27 @@ const (
 // Verifier verifies a downloaded package by comparing with public ASC
 // file from elastic.co website.
 type Verifier struct {
-	config   *artifact.Config
-	client   http.Client
-	pgpBytes []byte
+	config        *artifact.Config
+	client        http.Client
+	pgpBytes      []byte
+	allowEmptyPgp bool
 }
 
 // NewVerifier create a verifier checking downloaded package on preconfigured
 // location agains a key stored on elastic.co website.
-func NewVerifier(config *artifact.Config) (*Verifier, error) {
+func NewVerifier(config *artifact.Config, allowEmptyPgp bool, pgp []byte) (*Verifier, error) {
+	if len(pgp) == 0 && !allowEmptyPgp {
+		return nil, errors.New("expecting PGP but retrieved none", errors.TypeSecurity)
+	}
+
 	client := http.Client{Timeout: config.Timeout}
 	rtt := withHeaders(client.Transport, headers)
 	client.Transport = rtt
 	v := &Verifier{
-		config: config,
-		client: client,
+		config:        config,
+		client:        client,
+		allowEmptyPgp: allowEmptyPgp,
+		pgpBytes:      pgp,
 	}
 
 	return v, nil
@@ -71,9 +77,10 @@ func (v *Verifier) Verify(programName, version string) (bool, error) {
 		// remove bits so they can be redownloaded
 		os.Remove(fullPath)
 		os.Remove(fullPath + ".sha512")
+		return isMatch, err
 	}
 
-	return isMatch, err
+	return v.verifyAsc(programName, version)
 }
 
 func (v *Verifier) verifyHash(filename, fullPath string) (bool, error) {
@@ -120,15 +127,9 @@ func (v *Verifier) verifyHash(filename, fullPath string) (bool, error) {
 }
 
 func (v *Verifier) verifyAsc(programName, version string) (bool, error) {
-	var err error
-	var pgpBytesLoader sync.Once
-
-	pgpBytesLoader.Do(func() {
-		err = v.loadPGP(v.config.PgpFile)
-	})
-
-	if err != nil {
-		return false, errors.New(err, "loading PGP")
+	if len(v.pgpBytes) == 0 {
+		// no pgp available skip verification process
+		return true, nil
 	}
 
 	filename, err := artifact.GetArtifactName(programName, version, v.config.OS(), v.config.Arch())
@@ -202,33 +203,3 @@ func (v *Verifier) getPublicAsc(sourceURI string) ([]byte, error) {
 
 	return ioutil.ReadAll(resp.Body)
 }
-
-func (v *Verifier) loadPGP(file string) error {
-	var err error
-
-	if file == "" {
-		v.pgpBytes, err = v.loadPGPFromWeb()
-		return err
-	}
-
-	v.pgpBytes, err = ioutil.ReadFile(file)
-	if err != nil {
-		return errors.New(err, errors.TypeFilesystem, errors.M(errors.MetaKeyPath, file))
-	}
-
-	return nil
-}
-
-func (v *Verifier) loadPGPFromWeb() ([]byte, error) {
-	resp, err := v.client.Get(publicKeyURI)
-	if err != nil {
-		return nil, errors.New(err, "failed loading public key", errors.TypeNetwork, errors.M(errors.MetaKeyURI, publicKeyURI))
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != 200 {
-		return nil, errors.New(fmt.Sprintf("call to '%s' returned unsuccessful status code: %d", publicKeyURI, resp.StatusCode), errors.TypeNetwork, errors.M(errors.MetaKeyURI, publicKeyURI))
-	}
-
-	return ioutil.ReadAll(resp.Body)
-}
@@ -17,26 +17,26 @@ import (
 
 // NewVerifier creates a downloader which first checks local directory
 // and then fallbacks to remote if configured.
-func NewVerifier(log *logger.Logger, config *artifact.Config) (download.Verifier, error) {
+func NewVerifier(log *logger.Logger, config *artifact.Config, allowEmptyPgp bool, pgp []byte) (download.Verifier, error) {
 	verifiers := make([]download.Verifier, 0, 3)
 
-	fsVer, err := fs.NewVerifier(config)
+	fsVer, err := fs.NewVerifier(config, allowEmptyPgp, pgp)
 	if err != nil {
 		return nil, err
 	}
 	verifiers = append(verifiers, fsVer)
 
 	// try snapshot repo before official
 	if release.Snapshot() {
-		snapshotVerifier, err := snapshot.NewVerifier(config)
+		snapshotVerifier, err := snapshot.NewVerifier(config, allowEmptyPgp, pgp)
 		if err != nil {
 			log.Error(err)
 		} else {
 			verifiers = append(verifiers, snapshotVerifier)
 		}
 	}
 
-	remoteVer, err := http.NewVerifier(config)
+	remoteVer, err := http.NewVerifier(config, allowEmptyPgp, pgp)
 	if err != nil {
 		return nil, err
 	}

@@ -38,7 +38,6 @@ func snapshotConfig(config *artifact.Config) (*artifact.Config, error) {
 		SourceURI:       snapshotURI,
 		TargetDirectory: config.TargetDirectory,
 		Timeout:         config.Timeout,
-		PgpFile:         config.PgpFile,
 		InstallPath:     config.InstallPath,
 		DropPath:        config.DropPath,
 	}, nil

@@ -12,10 +12,10 @@ import (
 
 // NewVerifier creates a downloader which first checks local directory
 // and then fallbacks to remote if configured.
-func NewVerifier(config *artifact.Config, downloaders ...download.Downloader) (download.Verifier, error) {
+func NewVerifier(config *artifact.Config, allowEmptyPgp bool, pgp []byte) (download.Verifier, error) {
 	cfg, err := snapshotConfig(config)
 	if err != nil {
 		return nil, err
 	}
-	return http.NewVerifier(cfg)
+	return http.NewVerifier(cfg, allowEmptyPgp, pgp)
 }