[Fleet] Add experimental package verification (server side)

[hop-dev]

Summary

Part of #133822.

Add package verification on package install. Verify a package signature if:

• the feature flag is enabled packageVerification
• the package has a .sig file in the registry (none will yet)
• a local public key is configured at xpack.fleet.packageVerification.gpgKeyPath

Otherwise package verification status is always set to "unknown".

Summary of changes

• Add new feature flag packageVerification, disabled by default
• Add new fields to installation saved object (saved object migration to follow in separate PR)
  • verification_status - unknown | verified | unverified
  • verification_key_id - present if status is not unknown, they id of the key used to do verification.
• Add new cache for storing archive verification status
• When downloading archive, perform verification and cache result
• Verify bundled packages when downloading them (but don't currently store the .sig file for future verification, so will still have unknown verification status)
• Return 400 response code if package verification fails
• If a package is installed with force: true then install will proceed even if verification fails

Testing steps

• 1. Run the version of the EPR with package signatures locally:

docker run -p 8080:8080 docker.elastic.co/observability-ci/package-registry/distribution:PR-463

• 2. set xpack.fleet.registryUrl: http://localhost:8080
• 3. download local public key curl https://artifacts.elastic.co/GPG-KEY-elasticsearch -o /tmp/GPG-KEY-elasticsearch
• 4. set xpack.fleet.packageVerification.gpgKeyPath: /tmp/GPG-KEY-elasticsearch
• 5. Enable the feature by setting:

xpack.fleet.enableExperimental: 
    - packageVerification

• 6. Optional - to test if verification fails, here is a GPG public key which isnt the elastic one:
     NOT_THE_ELASTIC_KEY.txt

Test scenarios:

• if verification feature flag is enabled and:
  • verification is successful: Install should succeed,verification_key_id should be d27d666cd88e42b4 and verification_status should be verified
  • verification is not successful : (e.g by using a different public key supplied above) Install should not succeed, 400 response code returned,verification_key_id should be d27d666cd88e42b4 and verification_status should be unverified
  • no public key configured locally: (e.g by unsetting gpgKey config)Install should succeed,verification_key_id should not be set and verification_status should be unknown
  • missing .sig file: (e.g by connecting to the normal EPR) Install should succeed,verification_key_id should not be set and verification_status should be unknown
• verification feature flag not enabled: Install should succeed,verification_key_id should not be set and verification_status should be unknown

Checklist

Delete any items that are not applicable to this PR.

• Unit or functional tests were updated or added to match the most common scenarios

[hop-dev]

Not sure about this response code for when a package fails verification, I was also tempted by Forbidden or Bad Request

[kpollich]

400 Bad Request seems most appropriate here. 422 is usually more applicable when creating/updating some resource and the request body fails some validation check in my experience.

[hop-dev]

installSource was unused

[hop-dev]

Not sure if this is a bit messy, if for example I install a packge and it is verified, then I reinstall it and it is "unknown", we need to unset the verification key ID, I've done this by nulling it.

[kpollich]

This makes sense to me

[hop-dev]

this function was unused

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[pzl]

security_solution bits are 👌

[nchaulet]

I am wondering if we should avoid this cache pattern at some point it's not going to scale (it's probably more problematic for archiveEntryCache) do we really need to cache things how often are computing the verification?

If we really need to cache it it's probably better to use an LRU cache with a max size

[hop-dev]

I looked into removing caching, unfortunately as we do not cache the full archive only the sub-files this wasn't possible. I agree that the way that we cache isn't great, I think changing the way we cache should be done as a seperate ticket which I have raised here: #135790

[kpollich]

Couple naming suggestions and one clarification around log level. Requested changes are nonblocking though, so marking as approved.

[kpollich]

This makes sense to me

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: a87848d
• Storybooks Preview
• Webpack Bundle Analyzer

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
fleet	1376	1379	+3

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	5.2MB	5.2MB	+30.0B

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
fleet	111.3KB	111.3KB	+23.0B

Saved Objects .kibana field count

Every field in each saved object type adds overhead to Elasticsearch. Kibana needs to keep the total field count below Elasticsearch's default limit of 1000 fields. Only specify field mappings for the fields you wish to search on or query. See https://www.elastic.co/guide/en/kibana/master/development-plugin-saved-objects.html#_mappings

id	before	after	diff
epm-packages	20	22	+2

Unknown metric groups

API count

id	before	after	diff
fleet	1507	1510	+3

History

• 💔 Build #55854 failed 36a17de
• 💔 Build #55740 failed 4236cbb5aec7bb18c7057a8bff9d2af5f43b6384
• 💚 Build #55070 succeeded 58ea0e8e2680f29137b45c62b909b7f73ba56a19
• 💚 Build #54959 succeeded e61cebda40f2e36587bdec9279f60508d8139cab
• 💔 Build #54718 failed eb62b01ffb2e2d6541f89a30cc55ce1a8986755d

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @hop-dev

[parkiino]

onboarding-lifecycle-management team files look good to me