Open afeefghannam89 opened 1 year ago
afeefghannam89
commented
1 year ago I think the best place to reset the policy at the end of the playbook in the documentation, because the users can use this collection differently @widhalmt what do you think?
widhalmt
commented
1 year ago Hm... we need to check if that won't break updates. To be hones, I didn't check whether there are new signature hashes in current releases. Maybe it was just a temporary problem.
afeefghannam89
commented
1 year ago Unfortunately, there is no new signature. The last update on the issue that they will discuss the problem internally. Ok good notice :) the only matter here is that, we enable deprecated signature for all packages on the system, not only for Elastic. I did not find a way to specify cryptographic policy for Elastic Stack only.
afeefghannam89
commented
1 year ago If resitting policy will impact the upgrade, we could wait until elastic use more secur signature.
widhalmt
commented
1 year ago I'm okay with both. Waiting or changing it back. But either way, you have a good point. And we should definitely say something about it in README.md.
We are setting cryptographic policy system-wide to LEGACY, because elastic use old package signature SHA1. For security reasons we should set the policy back to default at the end of the collection/playbook. Skipping the gpg key check is the only other solution in this case, but it is a bad one.