OpenSearch: [BUG] Native Plugin Installation request for .asc and OpenSearch repo has the wrong Public Key
Describe the bug
Two issues:
- When install the native plugin directly,
opensearch-pluginrequest to use.ascfile for validation instead of.sigfile, which we included in the signing and release process.
$ ./opensearch-plugin install repository-s3
-> Installing repository-s3
-> Downloading repository-s3 from opensearch
[=================================================] 100%
-> Failed installing repository-s3
-> Rolling back repository-s3
-> Rolled back repository-s3
Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: https://artifacts.opensearch.org/releases/plugins/repository-s3/1.0.0/repository-s3-1.0.0.zip.asc
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1932)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1528)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:224)
at java.base/java.net.URL.openStream(URL.java:1167)
at org.opensearch.plugins.InstallPluginCommand.urlOpenStream(InstallPluginCommand.java:482)
at org.opensearch.plugins.InstallPluginCommand.verifySignature(InstallPluginCommand.java:622)
at org.opensearch.plugins.InstallPluginCommand.downloadAndValidate(InstallPluginCommand.java:600)
at org.opensearch.plugins.InstallPluginCommand.download(InstallPluginCommand.java:306)
at org.opensearch.plugins.InstallPluginCommand.execute(InstallPluginCommand.java:260)
at org.opensearch.plugins.InstallPluginCommand.execute(InstallPluginCommand.java:237)
at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:99)
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:140)
at org.opensearch.cli.MultiCommand.execute(MultiCommand.java:104)
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:140)
at org.opensearch.cli.Command.main(Command.java:103)
at org.opensearch.plugins.PluginCli.main(PluginCli.java:60)
- OpenSearch includes the wrong Public Key here: https://github.com/opensearch-project/OpenSearch/commit/05a6fde676e6436bd1e3d5dfe7de26889a69f0cb
The correct public key is here: https://opensearch.org/verify-signatures.html https://artifacts.opensearch.org/publickeys/opensearch.pgp
To Reproduce See Above
Expected behavior Install success
Plugins analysis-icu analysis-kuromoji analysis-nori analysis-phonetic analysis-smartcn analysis-stempel analysis-ukrainian discovery-azure-classic discovery-ec2 discovery-gce ingest-attachment mapper-annotated-text mapper-murmur3 mapper-size repository-azure repository-gcs repository-hdfs repository-s3 store-smb transport-nio
Screenshots If applicable, add screenshots to help explain your problem.
Host/Environment (please complete the following information):
- OS: [e.g. iOS]
- Version [e.g. 22]
Additional context Add any other context about the problem here.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 3
- Comments: 24 (16 by maintainers)
Answering questions in order:
OpenSearch expects the plugins to be signed by
.ascand specifically looks for that file. Ref: https://github.com/opensearch-project/OpenSearch/blob/4906a3c1b029f55e41bf60ef214ebff61939ba6d/distribution/tools/plugin-cli/src/main/java/org/opensearch/plugins/InstallPluginCommand.java#L615 We can definitely discuss.ascvs.sig.The key committed to the repository was in PR https://github.com/opensearch-project/OpenSearch/commit/05a6fde676e6436bd1e3d5dfe7de26889a69f0cb
Given that I see these as next steps:
.ascvs.sigand if needed update OpenSearch with the new key for next release (v1.1.0)You are installing 1.0.0 version of plugin on 1.1.0 which have different sig.
Sure, lets sync up on this one. Thanks.