Enhancement: Manually specify path to *.asc file on disk for airgapped

[cp-elastic]

Describe the enhancement: Add an option to manually specify the path to *tar.gz.asc

Describe a specific use case for the enhancement or feature: Airgapped installations using external automation, such as Ansible.

What is the definition of done? Please add an ability to override the location of the .asc file, or check the --source-uri path if present

Currently it is not possible to securely upgrade Elastic Agent in Airgapped installations due to the behavior of the *tar.gz.asc download. There is no documented option to specify it manually, and it doesn't appear to attempt to look in the --source-uri path, if specified.

This results in an insecure upgrade resulting from having to add the --skip-verify flag. Even manually setting the contents of *tar.gz.asc in the correct path does not seem to work, per the screenshot below.

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[cp-elastic]

I wanted to add in reference to @cmacknz comment here.
This is for Fleet managed Agents in an air-gapped environment. We're attempting to "upgrade in place" instead of doing an install with --force added, since that generates a new Agent UUID and orphans the old one.

[cmacknz]

We should definitely be looking for the .asc and .sha512 files alongside the location of the .tar.gz or .zip with the new agent version in the --source-uri. If you are hosting your own artifacts server this should be happening automatically.

If we aren't finding the .asc file with a custom source URI, and the .asc is in the expected place in the directory we are fetching, then that is a bug. We'll try to reproduce this to confirm.