Verifying the signature of
SSM Agent
The AWS Systems Manager Agent (SSM Agent) deb and rpm installer packages for Linux
instances are cryptographically signed. You can use a public key to verify that
the agent package is original and unmodified. If there is any damage or
alteration to the files, the verification fails. You can verify the signature of
the installer package using either RPM or GPG. The following information is for
SSM Agent versions 3.1.1141.0 or later.
The public key shown later in this topic expires on 2025-02-17 (February
17, 2025). Systems Manager will publish a new public key in this topic before the old
one expires. We encourage you to subscribe to the RSS feed for this topic to
get a notification when the new key is available.
To find the correct signature file for your instance's architecture and
operating system, see the following table.
region
represents the identifier for an AWS Region
supported by AWS Systems Manager, such as us-east-2
for the US East (Ohio) Region. For a list of
supported region
values, see the Region column in Systems Manager service endpoints in the
Amazon Web Services General Reference.
Architecture |
Operating system |
Signature file URL |
Agent download file name |
x86_64 |
AlmaLinux, Amazon Linux 1, Amazon Linux 2, Amazon Linux 2023, CentOS, CentOS
Stream, RHEL, Oracle Linux, Rocky Linux, SLES
|
https://s3.region .amazonaws.com/amazon-ssm-region /latest/linux_amd64/amazon-ssm-agent.rpm.sig
https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm.sig
|
amazon-ssm-agent.rpm
|
x86_64 |
Debian Server, Ubuntu Server
|
https://s3.region .amazonaws.com/amazon-ssm-region /latest/debian_amd64/amazon-ssm-agent.deb.sig
https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb.sig
|
amazon-ssm-agent.deb |
x86 |
Amazon Linux 1, Amazon Linux 2, Amazon Linux 2023, CentOS, RHEL
|
https://s3.region .amazonaws.com/amazon-ssm-region /latest/linux_386/amazon-ssm-agent.rpm.sig
https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_386/amazon-ssm-agent.rpm.sig
|
amazon-ssm-agent.rpm
|
x86 |
Ubuntu Server
|
https://s3.region .amazonaws.com/amazon-ssm-region /latest/debian_386/amazon-ssm-agent.deb.sig
https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_386/amazon-ssm-agent.deb.sig
|
amazon-ssm-agent.deb
|
ARM64 |
Amazon Linux 1, Amazon Linux 2, Amazon Linux 2023, CentOS, RHEL
|
https://s3.region .amazonaws.com/amazon-ssm-region /latest/linux_arm64/amazon-ssm-agent.rpm.sig
https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_arm64/amazon-ssm-agent.rpm.sig
|
amazon-ssm-agent.rpm |
Before you begin
Before verifying the signature of SSM Agent, you must download the
appropriate agent package for your operating system. For example,
https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_arm64/amazon-ssm-agent.rpm
.
For more information about downloading SSM Agent packages, see Manually installing and
uninstalling SSM Agent on EC2 instances for Linux.
- GPG
-
To verify the SSM Agent package on a Linux server
-
Copy the following public key, and save it to a file named
amazon-ssm-agent.gpg
.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mQENBGTtIoIBCAD2M1aoGIE0FXynAHM/jtuvdAVVaX3Q4ZejTqrX+Jq8ElAMhxyO
GzHu2CDtCYxtVxXK3unptLVt2kGgJwNbhYC393jDeZx5dCda4Nk2YXX1UK3P461i
axuuXRzMYvfM4RZn+7bJTu635tA07q9Xm6MGD4TCTvsjBfViOxbrxOg5ozWbJdSw
fSR8MwUrRfmFpAefRlYfCEuZ8FHywa9U6jLeWt2O/kqrZliJOAGjGzXtB7EZkqKb
faCCxikjjvhF1awdEqSK4DQorC/OvQc4I5kP5y2CJbtXvXO73QH2yE75JMDIIx9x
rOsIRUoSfK3UrWaOVuAnEEn5ueKzZNqGG1J1ABEBAAG0J1NTTSBBZ2VudCA8c3Nt
LWFnZW50LXNpZ25lckBhbWF6b24uY29tPokBPwQTAQIAKQUCZO0iggIbLwUJAsaY
gAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJELwfSVyX3QTt+icH/A//tJsW
I+7Ay8FGJh8dJPNy++HIBjVSFdGNJFWNbw1Z8uZcazHEcUCH3FhW4CLQLTZ3OVPz
qvFwzDtRDVIN/Y9EGDhLMFvimrE+/z4olWsJ5DANf6BnX8I5UNIcRt5d8SWH1BEJ
2FWIBZFgKyTDI6XzRC5x4ahtgpOVAGeeKDehs+wh6Ga4W0/K4GsviP1Kyr+Ic2br
NAIq0q0IHyN1q9zam3Y0+jKwEuNmTj+Bjyzshyv/X8S0JWWoXJhkexkOvWeBYNNt
5wI4QcSteyfIzp6KlQF8q11Hzz9D9WaPfcBEYyhq7vLEARobkbQMBzpkmaZua241
0RaWG50HRvrgm4aJAhwEEAECAAYFAmTtIoMACgkQfdCXo9rX9fwwqBAAzkTgYJ38
sWgxpn7Ux/81F2BWR1sVkmP79i++fXyJlKI8xtcJFQZhzeUos69KBUCy7mgx5bYU
P7NA5o9DUbwz/QS0i1Cqm4+jtFlX0MXe4FikXcqfDPnnzN8mVB2H+fa43iHR1PuH
GgUWuNdxzSoIYRmLZXWmeN5YXPcmixlhLzcE2TOQn1mOKcu2fKdLtBQ8KiEkmjiu
naoLxnUcyk1zMhaha+LzEkQdOyasix0ggylN2ViWVnlmfy0niuXDxW0qZWPdLStF
OODiX3iqGmkH3rDfy6nvxxBR4GIs+MGD72fpWzzrINDgkGI2i2t1+0AX/mps3aTy
+ftlgrim8stYWB58XXDAb0vad06sNye5/zDzfr0I9HupJrTzFhaYJQjWPaSlINto
LDJnBXohiUIPRYRcy/k012oFHDWZHT3H6CyjK9UD5UlxA9H7dsJurANs6FOVRe+7
34uJyxDZ/W7zLG4AVG0zxibrUSoaJxwcOjVPVsQAlrwG/GTs7tcAccsJqbJ1Py/w
9AgJl8VU2qc8POsHNXk348gjP7C8PDnGMpZFzr9f5INctRushpiv7onX+aWJVX7T
n2uX/TP3LCyH/MsrNJrJOQnMYFRLQitciP0E+F+eA3v9CY6mDuyb8JSx5HuGGUsG
S4bKBOcA8vimEpwPoT8CE7fdsZ3Qkwdu+pw=
=zr5w
-----END PGP PUBLIC KEY BLOCK-----
-
Import the public key into your keyring, and note the
returned key value.
gpg --import amazon-ssm-agent.gpg
-
Verify the fingerprint. Be sure to replace
key-value
with the value from
the preceding step. We recommend that you use GPG to verify
the fingerprint even if you use RPM to verify the installer
package.
gpg --fingerprint key-value
This command returns output similar to the
following.
pub 2048R/97DD04ED 2023-08-28 [expires: 2025-02-17]
Key fingerprint = DE92 C7DA 3E56 E923 31D6 2A36 BC1F 495C 97DD 04ED
uid SSM Agent <ssm-agent-signer@amazon.com>
The fingerprint should match the following.
DE92 C7DA 3E56 E923 31D6 2A36 BC1F 495C 97DD
04ED
If the fingerprint doesn't match, don't install the agent.
Contact AWS Support.
-
Download the signature file according to your instance's
architecture and operating system if you haven't already
done so.
-
Verify the installer package signature. Be sure to replace
the signature-filename
and
agent-download-filename
with
the values you specified when downloading the signature file
and agent, as listed in the table earlier in this
topic.
gpg --verify signature-filename
agent-download-filename
For example, for the x86_64 architecture on
Amazon Linux 2:
gpg --verify amazon-ssm-agent.rpm.sig amazon-ssm-agent.rpm
This command returns output similar to the
following.
gpg: Signature made Thu 31 Aug 2023 07:46:49 PM UTC using RSA key ID 97DD04ED
gpg: Good signature from "SSM Agent <ssm-agent-signer@amazon.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DE92 C7DA 3E56 E923 31D6 2A36 BC1F 495C 97DD 04ED
If the output includes the phrase BAD
signature
, check whether you performed the
procedure correctly. If you continue to get this response,
contact AWS Support and don't install the agent. The warning
message about the trust doesn't mean that the signature
isn't valid, only that you haven't verified the public key.
A key is trusted only if you or someone who you trust has
signed it. If the output includes the phrase Can't
check signature: No public key
, verify you
downloaded SSM Agent version 3.1.1141.0 or later.
- RPM
-
To verify the SSM Agent package on a Linux server
-
Copy the following public key, and save it to a file named
amazon-ssm-agent.gpg
.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mQENBGTtIoIBCAD2M1aoGIE0FXynAHM/jtuvdAVVaX3Q4ZejTqrX+Jq8ElAMhxyO
GzHu2CDtCYxtVxXK3unptLVt2kGgJwNbhYC393jDeZx5dCda4Nk2YXX1UK3P461i
axuuXRzMYvfM4RZn+7bJTu635tA07q9Xm6MGD4TCTvsjBfViOxbrxOg5ozWbJdSw
fSR8MwUrRfmFpAefRlYfCEuZ8FHywa9U6jLeWt2O/kqrZliJOAGjGzXtB7EZkqKb
faCCxikjjvhF1awdEqSK4DQorC/OvQc4I5kP5y2CJbtXvXO73QH2yE75JMDIIx9x
rOsIRUoSfK3UrWaOVuAnEEn5ueKzZNqGG1J1ABEBAAG0J1NTTSBBZ2VudCA8c3Nt
LWFnZW50LXNpZ25lckBhbWF6b24uY29tPokBPwQTAQIAKQUCZO0iggIbLwUJAsaY
gAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJELwfSVyX3QTt+icH/A//tJsW
I+7Ay8FGJh8dJPNy++HIBjVSFdGNJFWNbw1Z8uZcazHEcUCH3FhW4CLQLTZ3OVPz
qvFwzDtRDVIN/Y9EGDhLMFvimrE+/z4olWsJ5DANf6BnX8I5UNIcRt5d8SWH1BEJ
2FWIBZFgKyTDI6XzRC5x4ahtgpOVAGeeKDehs+wh6Ga4W0/K4GsviP1Kyr+Ic2br
NAIq0q0IHyN1q9zam3Y0+jKwEuNmTj+Bjyzshyv/X8S0JWWoXJhkexkOvWeBYNNt
5wI4QcSteyfIzp6KlQF8q11Hzz9D9WaPfcBEYyhq7vLEARobkbQMBzpkmaZua241
0RaWG50HRvrgm4aJAhwEEAECAAYFAmTtIoMACgkQfdCXo9rX9fwwqBAAzkTgYJ38
sWgxpn7Ux/81F2BWR1sVkmP79i++fXyJlKI8xtcJFQZhzeUos69KBUCy7mgx5bYU
P7NA5o9DUbwz/QS0i1Cqm4+jtFlX0MXe4FikXcqfDPnnzN8mVB2H+fa43iHR1PuH
GgUWuNdxzSoIYRmLZXWmeN5YXPcmixlhLzcE2TOQn1mOKcu2fKdLtBQ8KiEkmjiu
naoLxnUcyk1zMhaha+LzEkQdOyasix0ggylN2ViWVnlmfy0niuXDxW0qZWPdLStF
OODiX3iqGmkH3rDfy6nvxxBR4GIs+MGD72fpWzzrINDgkGI2i2t1+0AX/mps3aTy
+ftlgrim8stYWB58XXDAb0vad06sNye5/zDzfr0I9HupJrTzFhaYJQjWPaSlINto
LDJnBXohiUIPRYRcy/k012oFHDWZHT3H6CyjK9UD5UlxA9H7dsJurANs6FOVRe+7
34uJyxDZ/W7zLG4AVG0zxibrUSoaJxwcOjVPVsQAlrwG/GTs7tcAccsJqbJ1Py/w
9AgJl8VU2qc8POsHNXk348gjP7C8PDnGMpZFzr9f5INctRushpiv7onX+aWJVX7T
n2uX/TP3LCyH/MsrNJrJOQnMYFRLQitciP0E+F+eA3v9CY6mDuyb8JSx5HuGGUsG
S4bKBOcA8vimEpwPoT8CE7fdsZ3Qkwdu+pw=
=zr5w
-----END PGP PUBLIC KEY BLOCK-----
-
Import the public key into your keyring, and note the
returned key value.
rpm --import amazon-ssm-agent.gpg
-
Verify the fingerprint. Be sure to replace
key-value
with the value from
the preceding step. We recommend that you use GPG to verify
the fingerprint even if you use RPM to verify the installer
package.
gpg --fingerprint key-value
This command returns output similar to the
following.
pub 2048R/97DD04ED 2023-08-28 [expires: 2025-02-17]
Key fingerprint = DE92 C7DA 3E56 E923 31D6 2A36 BC1F 495C 97DD 04ED
uid SSM Agent <ssm-agent-signer@amazon.com>
The fingerprint should match the following.
DE92 C7DA 3E56 E923 31D6 2A36 BC1F 495C 97DD
04ED
If the fingerprint doesn't match, don't install the agent.
Contact AWS Support.
-
Verify the installer package signature. Be sure to replace
the signature-filename
and
agent-download-filename
with
the values you specified when downloading the signature file
and agent, as listed in the table earlier in this
topic.
rpm --checksig signature-filename
agent-download-filename
For example, for the x86_64 architecture on
Amazon Linux 2:
rpm --checksig amazon-ssm-agent.rpm.sig amazon-ssm-agent.rpm
This command returns output similar to the
following.
amazon-ssm-agent-3.1.1141.0-1.amzn2.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
If pgp
is missing from the output and you
have imported the public key, then the agent isn't signed.
If the output contains the phrase NOT OK (MISSING
KEYS: (MD5) key-id
)
,
check whether you performed the procedure correctly and
verify you downloaded SSM Agent version 3.1.1141.0 or later.
If you continue to get this response, contact AWS Support and
don't install the agent.