本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # 驗證 CloudWatch 代理程式套件的簽章 GPG 簽章檔案已包含在 Linux 伺服器的 CloudWatch 代理程式套件中。您可以使用公開金鑰來驗證代理程式下載檔案是否為原版且未經修改。 針對 Windows Server,您可以使用 MSI 來驗證簽章。對於 macOS 電腦,簽章會包含在代理程式下載套件中。 若要尋找正確的簽章檔案,請參閱下表。針對每個架構和作業系統,您可以看到一般連結和各區域的連結。 如果您使用區域特定連結,請將預設區域 (*us-east-1*) 替換為對您的帳戶而言適當的區域。例如,以 Amazon Linux 2023、Amazon Linux 2 和 x86-64 架構而言,三個有效的連結為: + `https://amazoncloudwatch-agent.s3.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig` + `https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm` + `https://amazoncloudwatch-agent-eu-central-1.s3.eu-central-1.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm` **注意** 若要下載 CloudWatch 代理程式,您的連線必須使用 TLS 1.2 或更新版本。 | Architecture | 平台 | 下載連結 | 簽章檔案連結 | | --- | --- | --- | --- | | x86-64 | Amazon Linux 2023 和 Amazon Linux 2 | https://amazoncloudwatch-agent.s3.amazonaws.com/amazon\$1linux/amd64/latest/amazon-cloudwatch-agent.rpm https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/amazon\$1linux/amd64/latest/amazon-cloudwatch-agent.rpm | https://amazoncloudwatch-agent.s3.amazonaws.com/amazon\$1linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/amazon\$1linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig | | x86-64 | Centos | https://amazoncloudwatch-agent.s3.amazonaws.com/centos/amd64/latest/amazon-cloudwatch-agent.rpm https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/centos/amd64/latest/amazon-cloudwatch-agent.rpm | https://amazoncloudwatch-agent.s3.amazonaws.com/centos/amd64/latest/amazon-cloudwatch-agent.rpm.sig https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/centos/amd64/latest/amazon-cloudwatch-agent.rpm.sig | | x86-64 | Redhat | https://amazoncloudwatch-agent.s3.amazonaws.com/redhat/amd64/latest/amazon-cloudwatch-agent.rpm https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/redhat/amd64/latest/amazon-cloudwatch-agent.rpm | https://amazoncloudwatch-agent.s3.amazonaws.com/redhat/amd64/latest/amazon-cloudwatch-agent.rpm.sig https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/redhat/amd64/latest/amazon-cloudwatch-agent.rpm.sig | | x86-64 | SUSE | https://amazoncloudwatch-agent.s3.amazonaws.com/suse/amd64/latest/amazon-cloudwatch-agent.rpm https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/suse/amd64/latest/amazon-cloudwatch-agent.rpm | https://amazoncloudwatch-agent.s3.amazonaws.com/suse/amd64/latest/amazon-cloudwatch-agent.rpm.sig https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/suse/amd64/latest/amazon-cloudwatch-agent.rpm.sig | | x86-64 | Debian | https://amazoncloudwatch-agent.s3.amazonaws.com/debian/amd64/latest/amazon-cloudwatch-agent.deb https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/debian/amd64/latest/amazon-cloudwatch-agent.deb | https://amazoncloudwatch-agent.s3.amazonaws.com/debian/amd64/latest/amazon-cloudwatch-agent.deb.sig https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/debian/amd64/latest/amazon-cloudwatch-agent.deb.sig | | x86-64 | Ubuntu | https://amazoncloudwatch-agent.s3.amazonaws.com/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb | https://amazoncloudwatch-agent.s3.amazonaws.com/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb.sig https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb.sig | | x86-64 | Oracle | https://amazoncloudwatch-agent.s3.amazonaws.com/oracle\$1linux/amd64/latest/amazon-cloudwatch-agent.rpm https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/oracle\$1linux/amd64/latest/amazon-cloudwatch-agent.rpm | https://amazoncloudwatch-agent.s3.amazonaws.com/oracle\$1linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/oracle\$1linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig | | x86-64 | macOS | https://amazoncloudwatch-agent.s3.amazonaws.com/darwin/amd64/latest/amazon-cloudwatch-agent.pkg https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/darwin/amd64/latest/amazon-cloudwatch-agent.pkg | https://amazoncloudwatch-agent.s3.amazonaws.com/darwin/amd64/latest/amazon-cloudwatch-agent.pkg.sig https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/darwin/amd64/latest/amazon-cloudwatch-agent.pkg.sig | | x86-64 | Windows | https://amazoncloudwatch-agent.s3.amazonaws.com/windows/amd64/latest/amazon-cloudwatch-agent.msi https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/windows/amd64/latest/amazon-cloudwatch-agent.msi | https://amazoncloudwatch-agent.s3.amazonaws.com/windows/amd64/latest/amazon-cloudwatch-agent.msi.sig https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/windows/amd64/latest/amazon-cloudwatch-agent.msi.sig | | ARM64 | Amazon Linux 2023 和 Amazon Linux 2 | https://amazoncloudwatch-agent.s3.amazonaws.com/amazon\$1linux/arm64/latest/amazon-cloudwatch-agent.rpm https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/amazon\$1linux/arm64/latest/amazon-cloudwatch-agent.rpm | https://amazoncloudwatch-agent.s3.amazonaws.com/amazon\$1linux/arm64/latest/amazon-cloudwatch-agent.rpm.sig https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/amazon\$1linux/arm64/latest/amazon-cloudwatch-agent.rpm.sig | | ARM64 | Redhat | https://amazoncloudwatch-agent.s3.amazonaws.com/redhat/arm64/latest/amazon-cloudwatch-agent.rpm https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/redhat/arm64/latest/amazon-cloudwatch-agent.rpm | https://amazoncloudwatch-agent.s3.amazonaws.com/redhat/arm64/latest/amazon-cloudwatch-agent.rpm.sig https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/redhat/arm64/latest/amazon-cloudwatch-agent.rpm.sig | | ARM64 | Ubuntu | https://amazoncloudwatch-agent.s3.amazonaws.com/ubuntu/arm64/latest/amazon-cloudwatch-agent.deb https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/ubuntu/arm64/latest/amazon-cloudwatch-agent.deb | https://amazoncloudwatch-agent.s3.amazonaws.com/ubuntu/arm64/latest/amazon-cloudwatch-agent.deb.sig https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/ubuntu/arm64/latest/amazon-cloudwatch-agent.deb.sig | | ARM64 | Debian | https://amazoncloudwatch-agent.s3.amazonaws.com/debian/arm64/latest/amazon-cloudwatch-agent.deb https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/debian/arm64/latest/amazon-cloudwatch-agent.deb | https://amazoncloudwatch-agent.s3.amazonaws.com/debian/arm64/latest/amazon-cloudwatch-agent.deb.sig https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/debian/arm64/latest/amazon-cloudwatch-agent.deb.sig | | ARM64 | SUSE | https://amazoncloudwatch-agent.s3.amazonaws.com/suse/arm64/latest/amazon-cloudwatch-agent.rpm https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/suse/arm64/latest/amazon-cloudwatch-agent.rpm | https://amazoncloudwatch-agent.s3.amazonaws.com/suse/arm64/latest/amazon-cloudwatch-agent.rpm.sig https://amazoncloudwatch-agent-*us-east-1*.s3.*us-east-1*.amazonaws.com/suse/arm64/latest/amazon-cloudwatch-agent.rpm.sig | **若要在 Linux 伺服器上驗證 CloudWatch 代理程式套件** 1. 下載公開金鑰。 ``` shell$ wget https://amazoncloudwatch-agent.s3.amazonaws.com/assets/amazon-cloudwatch-agent.gpg ``` 1. 將公開金鑰匯入至您的 keyring。 ``` shell$ gpg --import amazon-cloudwatch-agent.gpg gpg: key 3B789C72: public key "Amazon CloudWatch Agent" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) ``` 請記下金鑰值,在後續步驟您將會用到它。在前面的範例中,金鑰值為 `3B789C72`。 1. 執行以下命令以驗證指紋,請以三個步驟的值取代 *key-value*: ``` shell$ gpg --fingerprint key-value pub 2048R/3B789C72 2017-11-14 Key fingerprint = 9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72 uid Amazon CloudWatch Agent ``` 指紋字串應等於: `9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72` 若指紋字串不相符,請勿安裝代理程式。請聯絡 Amazon Web Services。 在您驗證指紋之後,即可使用它來驗證 CloudWatch 代理程式套件的簽章。 1. 使用 **wget** 下載套件簽章檔案。若要決定正確的簽章檔案,請參閱上表。 ``` wget Signature File Link ``` 1. 若要驗證簽章,請執行 **gpg --verify**。 ``` shell$ gpg --verify signature-filename agent-download-filename gpg: Signature made Wed 29 Nov 2017 03:00:59 PM PST using RSA key ID 3B789C72 gpg: Good signature from "Amazon CloudWatch Agent" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72 ``` 如果輸出包含 `BAD signature` 片語,請檢查您是否已正確執行程序。如果您持續收到此回應,請聯絡 Amazon Web Services,並避免使用已下載的檔案。 請注意有關信任的警告。只有您或您信任者所簽章的金鑰才能信任。這不表示該簽章是無效的,只是您尚未驗證該公有金鑰。 **在執行 Windows Server 的伺服器上驗證 CloudWatch 代理程式套件** 1. 從 [https://gnupg.org/download/](https://gnupg.org/download/) 下載並安裝適用於 Windows 的 GnuPG。安裝時,請包含 **Shell Extension (GpgEx) (Shell 延伸 (GpgEx))** 選項。 您可以在 Windows PowerShell 中執行其餘步驟。 1. 下載公開金鑰。 ``` PS> wget https://amazoncloudwatch-agent.s3.amazonaws.com/assets/amazon-cloudwatch-agent.gpg -OutFile amazon-cloudwatch-agent.gpg ``` 1. 將公開金鑰匯入至您的 keyring。 ``` PS> gpg --import amazon-cloudwatch-agent.gpg gpg: key 3B789C72: public key "Amazon CloudWatch Agent" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) ``` 請記下金鑰的值,因為您的下一個步驟將需要它。在前面的範例中,金鑰值為 `3B789C72`。 1. 執行以下命令以驗證指紋,請以三個步驟的值取代 *key-value*: ``` PS> gpg --fingerprint key-value pub rsa2048 2017-11-14 [SC] 9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72 uid [ unknown] Amazon CloudWatch Agent ``` 指紋字串應等於: `9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72` 若指紋字串不相符,請勿安裝代理程式。請聯絡 Amazon Web Services。 在您驗證指紋之後,即可使用它來驗證 CloudWatch 代理程式套件的簽章。 1. 使用 wget 下載套件簽章檔案。若要判斷正確的簽章檔案,請參閱 [CloudWatch 代理程式下載連結](download-CloudWatch-Agent-on-EC2-Instance-commandline-first.md#agent-download-link-table)。 1. 若要驗證簽章,請執行 **gpg --verify**。 ``` PS> gpg --verify sig-filename agent-download-filename gpg: Signature made 11/29/17 23:00:45 Coordinated Universal Time gpg: using RSA key D58167303B789C72 gpg: Good signature from "Amazon CloudWatch Agent" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72 ``` 如果輸出包含 `BAD signature` 片語,請檢查您是否已正確執行程序。如果您持續收到此回應,請聯絡 Amazon Web Services,並避免使用已下載的檔案。 請注意有關信任的警告。只有您或您信任者所簽章的金鑰才能信任。這不表示該簽章是無效的,只是您尚未驗證該公有金鑰。 **若要在 macOS 電腦上驗證 CloudWatch 代理程式套件** + 有兩種方法可在 macOS 上進行簽章驗證。 + 執行下列命令,驗證指紋: ``` pkgutil --check-signature amazon-cloudwatch-agent.pkg ``` 您應該會看到類似以下的結果。 ``` Package "amazon-cloudwatch-agent.pkg": Status: signed by a developer certificate issued by Apple for distribution Signed with a trusted timestamp on: 2020-10-02 18:13:24 +0000 Certificate Chain: 1. Developer ID Installer: AMZN Mobile LLC (94KV3E626L) Expires: 2024-10-18 22:31:30 +0000 SHA256 Fingerprint: 81 B4 6F AF 1C CA E1 E8 3C 6F FB 9E 52 5E 84 02 6E 7F 17 21 8E FB 0C 40 79 13 66 8D 9F 1F 10 1C ------------------------------------------------------------------------ 2. Developer ID Certification Authority Expires: 2027-02-01 22:12:15 +0000 SHA256 Fingerprint: 7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 F2 9C 88 CF B0 B1 BA 63 58 7F ------------------------------------------------------------------------ 3. Apple Root CA Expires: 2035-02-09 21:40:36 +0000 SHA256 Fingerprint: B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24 ``` + 或者,下載並使用 .sig 檔案。若要使用這個方法,請依照以下步驟。 1. 輸入以下命令來將 GPG 應用程式安裝到您的 macOS 主機。 ``` brew install GnuPG ``` + 使用 curl 下載套件簽章檔案。若要判斷正確的簽章檔案,請參閱 [CloudWatch 代理程式下載連結](download-CloudWatch-Agent-on-EC2-Instance-commandline-first.md#agent-download-link-table)。 + 若要驗證簽章,請執行 **gpg --verify**。 ``` PS> gpg --verify sig-filename agent-download-filename gpg: Signature made 11/29/17 23:00:45 Coordinated Universal Time gpg: using RSA key D58167303B789C72 gpg: Good signature from "Amazon CloudWatch Agent" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72 ``` 如果輸出包含 `BAD signature` 片語,請檢查您是否已正確執行程序。如果您持續收到此回應,請聯絡 Amazon Web Services,並避免使用已下載的檔案。 請注意有關信任的警告。只有您或您信任者所簽章的金鑰才能信任。這不表示該簽章是無效的,只是您尚未驗證該公有金鑰。