[Bug] Fix InstallPluginCommand to use proper key signatures (#1233)

The public key has changed since the initial release. This commit fixes the public key and uses the .sig files that are published to the artifacts site. Signed-off-by: Nicholas Walter Knize <[email protected]>
opensearch-project · Sep 10, 2021 · aecc7bd · aecc7bd
1 parent 65abe4a
commit aecc7bd
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 60 deletions.
diff --git a/distribution/tools/plugin-cli/src/main/java/org/opensearch/plugins/InstallPluginCommand.java b/distribution/tools/plugin-cli/src/main/java/org/opensearch/plugins/InstallPluginCommand.java
@@ -605,21 +605,21 @@ private Path downloadAndValidate(
 
     /**
      * Verify the signature of the downloaded plugin ZIP. The signature is obtained from the source of the downloaded plugin by appending
-     * ".asc" to the URL. It is expected that the plugin is signed with the OpenSearch signing key with ID 0934A65836A51424.
+     * ".sig" to the URL. It is expected that the plugin is signed with the OpenSearch signing key with ID C2EE2AF6542C03B4.
      *
      * @param zip       the path to the downloaded plugin ZIP
      * @param urlString the URL source of the downloade plugin ZIP
      * @throws IOException  if an I/O exception occurs reading from various input streams
      * @throws PGPException if the PGP implementation throws an internal exception during verification
      */
     void verifySignature(final Path zip, final String urlString) throws IOException, PGPException {
-        final String ascUrlString = urlString + ".asc";
-        final URL ascUrl = openUrl(ascUrlString);
+        final String sigUrlString = urlString + ".sig";
+        final URL sigUrl = openUrl(sigUrlString);
         try (
             // fin is a file stream over the downloaded plugin zip whose signature to verify
             InputStream fin = pluginZipInputStream(zip);
             // sin is a URL stream to the signature corresponding to the downloaded plugin zip
-            InputStream sin = urlOpenStream(ascUrl);
+            InputStream sin = urlOpenStream(sigUrl);
             // ain is a input stream to the public key in ASCII-Armor format (RFC4880)
             InputStream ain = new ArmoredInputStream(getPublicKey())
         ) {
@@ -666,7 +666,7 @@ InputStream pluginZipInputStream(final Path zip) throws IOException {
      * @return the public key ID
      */
     String getPublicKeyId() {
-        return "0934A65836A51424";
+        return "C2EE2AF6542C03B4";
     }
 
     /**
@@ -675,7 +675,7 @@ String getPublicKeyId() {
      * @return an input stream to the public key
      */
     InputStream getPublicKey() {
-        return InstallPluginCommand.class.getResourceAsStream("/public_key.asc");
+        return InstallPluginCommand.class.getResourceAsStream("/public_key.sig");
     }
 
     /**

diff --git a/distribution/tools/plugin-cli/src/main/resources/public_key.asc b/distribution/tools/plugin-cli/src/main/resources/public_key.asc
diff --git a/distribution/tools/plugin-cli/src/main/resources/public_key.sig b/distribution/tools/plugin-cli/src/main/resources/public_key.sig
@@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGCa8OoBEADPB4ULnunicJnz+QeANNMQ5FoaVx7ImHBpLwn4Dmgc189JukZO
+WWbJw+fMp4LQRJN78NJQsgmVhyF8jjpqTsznsxK55qymiTaazekh3wXhKXVRhEfB
+kA1SYV/Aw+ZSgmbPquZftsRVUwHMD6PW+XODyQlAKeGi7wmG4Wjcn3XTJpr90Axf
+kMRV/j0ZpNp+wGUm9nJMtPOIQGu3oMDWtLjxdfFdtC9O/ZrnOueeeO/jl4y3ZQCF
++Z//5ObxAw/yG0/70X31HKyua3p0QAqa74nobw2ttYfgJg0kN5mdf8BmxifmA4zU
+uMUcFhc5WbKcA2JT7iaDSSmlz1sjtx7xmWhHzSZNoAi0b/xAIfPa3bknA6ENhGNR
+0m/0u2rRyoa8L1nYn4d+FlptzaY81LMz4kY0yWE4L3oBGR82ySAVDP/MRpgyDGYF
+HuEsuPT3QlWm0zUgrzWf9xbporhUv/+9eDvagfLrWUauYYpXAOrVEEhRueQGqDVa
+1zku3lsdWsH8D2SL1cGqX4Ryb2Hi1+uhM1k20lx8fkoE5oF4v4ap5hd/QtA5VS+C
+KYT+iJmI8lXbERxnPTI46hOqnVUqAM0U2UKxVyRk3NAJaX8oz3SIo0Zrl7piYdSK
+qCLka9YiQur5oHEXUmGIDwGUSTbbqC92Ni5Crl+aeA8ApOwf19UJt2V0WQARAQAB
+tCpPcGVuU2VhcmNoIHByb2plY3QgPG9wZW5zZWFyY2hAYW1hem9uLmNvbT6JAjkE
+EwECACMFAmCa8OoCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRA50xmH
+kxDT/KBhD/4kvP5eezzBYk+JXfi0JODIiBVTIYMF0rie7RsLmCULf+MdJeuxC0ST
+rGEKp+sP3kb1n+ugGlQtvh3R23YHPWXlE7UWpvYV4Nc0vPA5ySnLXdxIFyZrbIvC
+hHqSESuTKm5mRYckMkb3qg7f22zPw3Y3ckM+f3GAnfB2RAxHal1WlqhMTnNG7QNF
+XLiLbe225KDyLWEkrrm6mFV/PCFufSRWBtInIOxHZqokdT68b4w2o3Tdz16btEhJ
+KTlBcFmNcL03SqAccTZXkfeCMoP91lFao6WJL2Zfo+CfWW6K2N3NsV5UDGufMSDK
+RyhsuXtl47SvnYSHGN2pxbi0q3BmtBrqyALuJ4ThVKugqtRk4OvQ1Vxr2DwKnD+s
+gQmg07SZF5JL9jZV6vIntMW4eKq7vmCo9mZEktKtZdMDBM+hGwjvDp5WGEAOGe6g
+ZG0mwHhhDFchD+5Vky6EkafBlu+aa45yQ9UO6LXat0XgE+Qg/gLajOkSMQnwUSYw
+OeyyrvyeRW/NjXYD8Y15TkXPnDXjE9cMijamFGv3Ogf8Z+Xy0LAW+WpDQq4xjXj7
+mIgzC44C8U1Ji14gugk1aE3T34a9KAr7P42Fp1M8NZuE0wWuKJd3e/VXqOUvjVFt
+enko6tTFLg2yidvNk3iR7j2XIdB3+SapDmbSCp01D79bVkiWQB1rwrkBDQRgmvLg
+AQgAx3MTWZRG12qIGlY25QYYta74TA52aa2mQuy9e7Rf4GxHxTr99lwK0UYVDg9M
+XY8ry/BvOh4O+5HWWlIgMfeEIL4BF6r2DROoRx5LyENtMmMNLw9sKTDftmZUq2ci
+4mqN9GqnbKd+ppKRvkR+D1nQ3gyXKvkv9PuEWdGpUwwoqa/55PeU5Fyt/Qnf4Hnh
+kXrYovRqQlpJWQCVNdumXczMRKCJLBuwGoAFCdm3zHHV8dLVKt6ioV0OSBFtOiq/
+Lcb6sE/WSt+TDhMG14Lie4OM0iV/V+EtT/ENlhAY8ViVvbWe+8eH/iQGcc92lQmr
+CwpKB42DYvvo2R03/9IYJ0ls3QARAQABiQNEBBgBAgAPBQJgmvLgAhsCBQkB4TOA
+ASkJEDnTGYeTENP8wF0gBBkBAgAGBQJgmvLgAAoJEMLuKvZULAO0w5cH/1qvMK9r
+W9voJR6vA4OMmganK+W28noRyJlWFZ9Rt/5Wdb3zPIV53p+aR9DIso2mI1JpaonD
+9r+slKglu7ZoHCqnD55sdTl27SBpFblSQqHUQGKwpvIYMH+jj6NIgRkPDhe+YSVo
+xVQS5fexN2vuzAsYGdewtAvx3T8a/Py0kVC7VSLiJjLJdF1lFAF6RWI/AWrpjh/c
+fXUU1ZdKbJNruyv43rJka6Rj4rZ6qSTKj71+Pu7IYbu3lRj2SfBOrMIdCiltIo/N
+65RVwIies/9/intR44h1QrYPujQdMwMreKKv/LhI0u/JNNDK1kTzf2cGl0nYLV1c
+7Bx0BIWeYUrEVcG+Sg//SNGWG7klaLtifTg6UxHkgRkXajDCTATppCL45Lz9hPD4
++SgroZnWEWAordqBKHVGVE2d3kyo0Nz7dh7OVAkyV4/QReHaD0+LqnbgRhuiAFHi
+QwAl+jXQopAFD2MUX1LskelmqSLV4b1aUN4jnGiyhsuEvp2AiTEvrx4KqcxJE88B
+f2jstY7+PxKQEFLOpzH4A8hiU9hsrhW8K0ymxyTTNPHpUAkl6qE7nFFAemcr8HWw
+F30Iut2tLa5haeJTTj+xXI52dUEnertlpewLcl1AKTUedNsFbSgzg6glh9/NyNB7
+XrKDk/yPABEpDkrPVPcHCVLCm1Ya4ro6esp18i+wDWeBFaOuK/NM1pgyy/RXsCFr
+mhAA0I1QCldD1oTv2F5MMlVT5TqcJC54martiVHhKs/4yylR5IutDniZ458VqAH+
+1B0WDoJC58lGcUHai4o4hxhVwdBGoxz4UoTUX80N5wB/0esf02H8aBwuGh0VMen8
+my8hu3OnqfyScab9j6TB+tnfFM7pa8vJ9nZeDn2oHyYj9T22NYa1FYRkK40wzylo
+IU/Nmemh0/JXnpEe7b5qrGyC3M2VhXs2vnX+LaKWTFFLHgB6Yt5LbRYDiRApcuRF
+SwThr6EACG9HRPr76uRLE6Wkifn7NrIRbD3nrAzdxNLHBIK+veTVDQOGoxf7jOU=
+=4bMD
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/...tion/tools/plugin-cli/src/test/java/org/opensearch/plugins/InstallPluginCommandTests.java b/...tion/tools/plugin-cli/src/test/java/org/opensearch/plugins/InstallPluginCommandTests.java
@@ -935,8 +935,8 @@ URL openUrl(String urlString) throws IOException {
                     String checksum = shaCalculator.apply(zipbytes);
                     Files.write(shaFile, checksum.getBytes(StandardCharsets.UTF_8));
                     return shaFile.toUri().toURL();
-                } else if ((url + ".asc").equals(urlString)) {
-                    final Path ascFile = temp.apply("asc").resolve("downloaded.zip" + ".asc");
+                } else if ((url + ".sig").equals(urlString)) {
+                    final Path ascFile = temp.apply("sig").resolve("downloaded.zip" + ".sig");
                     final byte[] zipBytes = Files.readAllBytes(pluginZip);
                     final String asc = signature.apply(zipBytes, secretKey);
                     Files.write(ascFile, asc.getBytes(StandardCharsets.UTF_8));