Verifica della firma del pacchetto dell'agente CloudWatch - Amazon CloudWatch

Verifica della firma del pacchetto dell'agente CloudWatch

I file della firma GPG sono inclusi nei pacchetti dell'agente CloudWatch su server Linux. Puoi utilizzare una chiave pubblica per verificare che il file di download dell'agente sia originale e non modificato.

Per Windows Server, puoi utilizzare l'MSI per verificare la firma. Per i computer macOS, la firma è inclusa nel pacchetto di download dell'agente.

Per trovare il file della firma corretto, utilizza la tabella seguente. Per ogni architettura e sistema operativo vengono forniti un collegamento generale e collegamenti per ogni Regione.

Se utilizzi i link specifici della Regione, sostituisci la Regione predefinita (us-east-1) con la Regione appropriata per il tuo account. Ad esempio, per Amazon Linux 2023, Amazon Linux 2 e l'architettura x86-64, tre dei collegamenti validi sono:

  • https://amazoncloudwatch-agent.s3.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig

  • https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm

  • https://amazoncloudwatch-agent-eu-central-1.s3.eu-central-1.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm

Nota

Per scaricare l'agente CloudWatch, la connessione deve utilizzare la TLS 1.2 o una versione successiva.

Architettura Platform (Piattaforma) Collegamento per il download Collegamento al file di firma

x86-64

Amazon Linux 2023 e Amazon Linux 2

https://amazoncloudwatch-agent.s3.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm

https://amazoncloudwatch-agent.s3.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig

x86-64

Centos

https://amazoncloudwatch-agent.s3.amazonaws.com/centos/amd64/latest/amazon-cloudwatch-agent.rpm

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/centos/amd64/latest/amazon-cloudwatch-agent.rpm

https://amazoncloudwatch-agent.s3.amazonaws.com/centos/amd64/latest/amazon-cloudwatch-agent.rpm.sig

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/centos/amd64/latest/amazon-cloudwatch-agent.rpm.sig

x86-64

Redhat

https://amazoncloudwatch-agent.s3.amazonaws.com/redhat/amd64/latest/amazon-cloudwatch-agent.rpm

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/redhat/amd64/latest/amazon-cloudwatch-agent.rpm

https://amazoncloudwatch-agent.s3.amazonaws.com/redhat/amd64/latest/amazon-cloudwatch-agent.rpm.sig

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/redhat/amd64/latest/amazon-cloudwatch-agent.rpm.sig

x86-64

SUSE

https://amazoncloudwatch-agent.s3.amazonaws.com/suse/amd64/latest/amazon-cloudwatch-agent.rpm

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/suse/amd64/latest/amazon-cloudwatch-agent.rpm

https://amazoncloudwatch-agent.s3.amazonaws.com/suse/amd64/latest/amazon-cloudwatch-agent.rpm.sig

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/suse/amd64/latest/amazon-cloudwatch-agent.rpm.sig

x86-64

Debian

https://amazoncloudwatch-agent.s3.amazonaws.com/debian/amd64/latest/amazon-cloudwatch-agent.deb

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/debian/amd64/latest/amazon-cloudwatch-agent.deb

https://amazoncloudwatch-agent.s3.amazonaws.com/debian/amd64/latest/amazon-cloudwatch-agent.deb.sig

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/debian/amd64/latest/amazon-cloudwatch-agent.deb.sig

x86-64

Ubuntu

https://amazoncloudwatch-agent.s3.amazonaws.com/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb

https://amazoncloudwatch-agent.s3.amazonaws.com/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb.sig

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb.sig

x86-64

Oracle

https://amazoncloudwatch-agent.s3.amazonaws.com/oracle_linux/amd64/latest/amazon-cloudwatch-agent.rpm

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/oracle_linux/amd64/latest/amazon-cloudwatch-agent.rpm

https://amazoncloudwatch-agent.s3.amazonaws.com/oracle_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/oracle_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig

x86-64

macOS

https://amazoncloudwatch-agent.s3.amazonaws.com/darwin/amd64/latest/amazon-cloudwatch-agent.pkg

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/darwin/amd64/latest/amazon-cloudwatch-agent.pkg

https://amazoncloudwatch-agent.s3.amazonaws.com/darwin/amd64/latest/amazon-cloudwatch-agent.pkg.sig

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/darwin/amd64/latest/amazon-cloudwatch-agent.pkg.sig

x86-64

Windows

https://amazoncloudwatch-agent.s3.amazonaws.com/windows/amd64/latest/amazon-cloudwatch-agent.msi

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/windows/amd64/latest/amazon-cloudwatch-agent.msi

https://amazoncloudwatch-agent.s3.amazonaws.com/windows/amd64/latest/amazon-cloudwatch-agent.msi.sig

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/windows/amd64/latest/amazon-cloudwatch-agent.msi.sig

ARM64

Amazon Linux 2023 e Amazon Linux 2

https://amazoncloudwatch-agent.s3.amazonaws.com/amazon_linux/arm64/latest/amazon-cloudwatch-agent.rpm

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/amazon_linux/arm64/latest/amazon-cloudwatch-agent.rpm

https://amazoncloudwatch-agent.s3.amazonaws.com/amazon_linux/arm64/latest/amazon-cloudwatch-agent.rpm.sig

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/amazon_linux/arm64/latest/amazon-cloudwatch-agent.rpm.sig

ARM64

Redhat

https://amazoncloudwatch-agent.s3.amazonaws.com/redhat/arm64/latest/amazon-cloudwatch-agent.rpm

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/redhat/arm64/latest/amazon-cloudwatch-agent.rpm

https://amazoncloudwatch-agent.s3.amazonaws.com/redhat/arm64/latest/amazon-cloudwatch-agent.rpm.sig

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/redhat/arm64/latest/amazon-cloudwatch-agent.rpm.sig

ARM64

Ubuntu

https://amazoncloudwatch-agent.s3.amazonaws.com/ubuntu/arm64/latest/amazon-cloudwatch-agent.deb

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/ubuntu/arm64/latest/amazon-cloudwatch-agent.deb

https://amazoncloudwatch-agent.s3.amazonaws.com/ubuntu/arm64/latest/amazon-cloudwatch-agent.deb.sig

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/ubuntu/arm64/latest/amazon-cloudwatch-agent.deb.sig

ARM64

Debian

https://amazoncloudwatch-agent.s3.amazonaws.com/debian/arm64/latest/amazon-cloudwatch-agent.deb

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/debian/arm64/latest/amazon-cloudwatch-agent.deb

https://amazoncloudwatch-agent.s3.amazonaws.com/debian/arm64/latest/amazon-cloudwatch-agent.deb.sig

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/debian/arm64/latest/amazon-cloudwatch-agent.deb.sig

ARM64

SUSE

https://amazoncloudwatch-agent.s3.amazonaws.com/suse/arm64/latest/amazon-cloudwatch-agent.rpm

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/suse/arm64/latest/amazon-cloudwatch-agent.rpm

https://amazoncloudwatch-agent.s3.amazonaws.com/suse/arm64/latest/amazon-cloudwatch-agent.rpm.sig

https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/suse/arm64/latest/amazon-cloudwatch-agent.rpm.sig
Per verificare il pacchetto dell'agente CloudWatch in un server Linux

  1. Scarica la chiave pubblica.

    shell$ wget https://amazoncloudwatch-agent.s3.amazonaws.com/assets/amazon-cloudwatch-agent.gpg

  2. Importa la chiave pubblica nel tuo keyring.

    shell$  gpg --import amazon-cloudwatch-agent.gpg
gpg: key 3B789C72: public key "Amazon CloudWatch Agent" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

    Prendi nota del valore della chiave poiché sarà necessario nella fase successiva. Nell'esempio precedente, il valore della chiave è 3B789C72.

  3. Verifica l'impronta eseguendo il comando seguente, sostituendo key-value con il valore annotato nella fase precedente:

    shell$  gpg --fingerprint key-value
pub   2048R/3B789C72 2017-11-14
      Key fingerprint = 9376 16F3 450B 7D80 6CBD  9725 D581 6730 3B78 9C72
uid                  Amazon CloudWatch Agent

    La stringa dell'impronta deve essere uguale alla seguente:

    9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72

    Se la stringa dell'impronta non corrisponde, non installare l'agente. Contatta Amazon Web Services.

    Dopo aver verificato l'impronta, puoi utilizzarla per verificare la firma del pacchetto dell'agente CloudWatch.

  4. Scarica il file della firma del pacchetto utilizzando wget. Per determinare il file della firma corretto, consulta la tabella precedente.

    wget Signature File Link

  5. Per verificare la firma, esegui gpg --verify.

    shell$ gpg --verify signature-filename agent-download-filename
gpg: Signature made Wed 29 Nov 2017 03:00:59 PM PST using RSA key ID 3B789C72
gpg: Good signature from "Amazon CloudWatch Agent"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9376 16F3 450B 7D80 6CBD  9725 D581 6730 3B78 9C72

    Se l'output include la frase BAD signature, controllare di avere eseguito la procedura correttamente. Se continui a ottenere questa risposta, contatta Amazon Web Services ed evita di utilizzare il file scaricato.

    Prendi nota dell'avviso sulla trust. Una chiave è considerata attendibile solo se è stata firmata dall'utente o da un firmatario fidato. Questo non significa che la firma non sia valida, ma soltanto che la chiave pubblica non è stata verificata.

Per verificare il pacchetto dell'agente CloudWatch in un server che esegue Windows Server

  1. Scarica e installa GnuPG per Windows da https://gnupg.org/download/. Durante l'installazione, includi l'opzione Shell Extension (GpgEx) (Estensione Shell (GpgEx)).

    È possibile eseguire le fasi rimanenti in Windows PowerShell.

  2. Scarica la chiave pubblica.

    PS> wget https://amazoncloudwatch-agent.s3.amazonaws.com/assets/amazon-cloudwatch-agent.gpg -OutFile amazon-cloudwatch-agent.gpg

  3. Importa la chiave pubblica nel tuo keyring.

    PS>  gpg --import amazon-cloudwatch-agent.gpg
gpg: key 3B789C72: public key "Amazon CloudWatch Agent" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

    Prendere nota del valore della chiave poiché sarà necessario nella fase successiva. Nell'esempio precedente, il valore della chiave è 3B789C72.

  4. Verifica l'impronta eseguendo il comando seguente, sostituendo key-value con il valore annotato nella fase precedente:

    PS>  gpg --fingerprint key-value
pub   rsa2048 2017-11-14 [SC]
      9376 16F3 450B 7D80 6CBD  9725 D581 6730 3B78 9C72
uid           [ unknown] Amazon CloudWatch Agent

    La stringa dell'impronta deve essere uguale alla seguente:

    9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72

    Se la stringa dell'impronta non corrisponde, non installare l'agente. Contatta Amazon Web Services.

    Dopo aver verificato l'impronta, puoi utilizzarla per verificare la firma del pacchetto dell'agente CloudWatch.

  5. Scarica il file della firma del pacchetto tramite wget. Per stabilire il file signature corretto, consulta Collegamenti di download per l'agente CloudWatch.

  6. Per verificare la firma, esegui gpg --verify.

    PS> gpg --verify sig-filename agent-download-filename
gpg: Signature made 11/29/17 23:00:45 Coordinated Universal Time
gpg:                using RSA key D58167303B789C72
gpg: Good signature from "Amazon CloudWatch Agent" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9376 16F3 450B 7D80 6CBD  9725 D581 6730 3B78 9C72

    Se l'output include la frase BAD signature, controllare di avere eseguito la procedura correttamente. Se continui a ottenere questa risposta, contatta Amazon Web Services ed evita di utilizzare il file scaricato.

    Prendi nota dell'avviso sulla trust. Una chiave è considerata attendibile solo se è stata firmata dall'utente o da un firmatario fidato. Questo non significa che la firma non sia valida, ma soltanto che la chiave pubblica non è stata verificata.

Per verificare il pacchetto dell'agente CloudWatch in un computer macOS

  • Sono disponibili due metodi per la verifica della firma in macOS.

    • Verifica l'impronta digitale eseguendo il seguente comando:

      pkgutil --check-signature amazon-cloudwatch-agent.pkg

      Viene visualizzato un risultato simile a quello seguente.

      Package "amazon-cloudwatch-agent.pkg":
        Status: signed by a developer certificate issued by Apple for distribution
        Signed with a trusted timestamp on: 2020-10-02 18:13:24 +0000
        Certificate Chain:
        1. Developer ID Installer: AMZN Mobile LLC (94KV3E626L)
        Expires: 2024-10-18 22:31:30 +0000
        SHA256 Fingerprint:
        81 B4 6F AF 1C CA E1 E8 3C 6F FB 9E 52 5E 84 02 6E 7F 17 21 8E FB
        0C 40 79 13 66 8D 9F 1F 10 1C
        ------------------------------------------------------------------------
        2. Developer ID Certification Authority
        Expires: 2027-02-01 22:12:15 +0000
        SHA256 Fingerprint:
        7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
        F2 9C 88 CF B0 B1 BA 63 58 7F
        ------------------------------------------------------------------------
        3. Apple Root CA
        Expires: 2035-02-09 21:40:36 +0000
        SHA256 Fingerprint:
        B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
        68 C5 BE 91 B5 A1 10 01 F0 24

    • In alternativa, scarica e usa il file .sig. Per utilizzare questo metodo, procedi come segue.

      1. Installa l'applicazione GPG sull'host macOS inserendo il seguente comando.

        brew install GnuPG

    • Scarica il file della firma del pacchetto utilizzando curl. Per stabilire il file signature corretto, consulta Collegamenti di download per l'agente CloudWatch.

    • Per verificare la firma, esegui gpg --verify.

      PS> gpg --verify sig-filename agent-download-filename
gpg: Signature made 11/29/17 23:00:45 Coordinated Universal Time
gpg:                using RSA key D58167303B789C72
gpg: Good signature from "Amazon CloudWatch Agent" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9376 16F3 450B 7D80 6CBD  9725 D581 6730 3B78 9C72

      Se l'output include la frase BAD signature, controllare di avere eseguito la procedura correttamente. Se continui a ottenere questa risposta, contatta Amazon Web Services ed evita di utilizzare il file scaricato.

      Prendi nota dell'avviso sulla trust. Una chiave è considerata attendibile solo se è stata firmata dall'utente o da un firmatario fidato. Questo non significa che la firma non sia valida, ma soltanto che la chiave pubblica non è stata verificata.