Open afeefghannam89 opened 1 year ago
I think the best place to reset the policy at the end of the playbook in the documentation, because the users can use this collection differently @widhalmt what do you think?
Hm... we need to check if that won't break updates. To be hones, I didn't check whether there are new signature hashes in current releases. Maybe it was just a temporary problem.
Unfortunately, there is no new signature. The last update on the issue that they will discuss the problem internally. Ok good notice :) the only matter here is that, we enable deprecated signature for all packages on the system, not only for Elastic. I did not find a way to specify cryptographic policy for Elastic Stack only.
If resitting policy will impact the upgrade, we could wait until elastic use more secur signature.
I'm okay with both. Waiting or changing it back. But either way, you have a good point. And we should definitely say something about it in README.md.
We are setting cryptographic policy system-wide to LEGACY, because elastic use old package signature SHA1. For security reasons we should set the policy back to default at the end of the collection/playbook. Skipping the gpg key check is the only other solution in this case, but it is a bad one.