验证 CloudWatch 代理软件包的签名 - Amazon CloudWatch

验证 CloudWatch 代理软件包的签名

包含 GPG 签名文件以用于 Linux 服务器上的 CloudWatch 代理软件包。您可以使用公有密钥验证该代理下载文件是否为原始的而未进行修改。

对于 Windows Server,您可以使用 MSI 验证签名。

要查找正确的签名文件,请参阅下表。对于每个架构和操作系统,有一个常规链接以及对应于每个区域的链接。例如,对于 Amazon Linux 和 Amazon Linux 2 以及 AMD64 架构,有下面三个有效的链接:

  • https://s3.amazonaws.com/amazoncloudwatch-agent/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig

  • https://s3.us-east-1.amazonaws.com/amazoncloudwatch-agent-us-east-1/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig

  • https://s3.eu-central-1.amazonaws.com/amazoncloudwatch-agent-eu-central-1/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig

架构 平台 下载链接 签名文件链接

AMD64

Amazon Linux 和 Amazon Linux 2

https://s3.amazonaws.com/amazoncloudwatch-agent/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm

https://s3.amazonaws.com/amazoncloudwatch-agent/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig

AMD64

Centos

https://s3.amazonaws.com/amazoncloudwatch-agent/centos/amd64/latest/amazon-cloudwatch-agent.rpm

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/centos/amd64/latest/amazon-cloudwatch-agent.rpm

https://s3.amazonaws.com/amazoncloudwatch-agent/centos/amd64/latest/amazon-cloudwatch-agent.rpm.sig

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/centos/amd64/latest/amazon-cloudwatch-agent.rpm.sig

AMD64

Redhat

https://s3.amazonaws.com/amazoncloudwatch-agent/redhat/amd64/latest/amazon-cloudwatch-agent.rpm

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/redhat/amd64/latest/amazon-cloudwatch-agent.rpm

https://s3.amazonaws.com/amazoncloudwatch-agent/redhat/amd64/latest/amazon-cloudwatch-agent.rpm.sig

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/redhat/amd64/latest/amazon-cloudwatch-agent.rpm.sig

AMD64

SUSE

https://s3.amazonaws.com/amazoncloudwatch-agent/suse/amd64/latest/amazon-cloudwatch-agent.rpm

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/suse/amd64/latest/amazon-cloudwatch-agent.rpm

https://s3.amazonaws.com/amazoncloudwatch-agent/suse/amd64/latest/amazon-cloudwatch-agent.rpm.sig

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/suse/amd64/latest/amazon-cloudwatch-agent.rpm.sig

AMD64

Debian

https://s3.amazonaws.com/amazoncloudwatch-agent/debian/amd64/latest/amazon-cloudwatch-agent.deb

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/debian/amd64/latest/amazon-cloudwatch-agent.deb

https://s3.amazonaws.com/amazoncloudwatch-agent/debian/amd64/latest/amazon-cloudwatch-agent.deb.sig

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/debian/amd64/latest/amazon-cloudwatch-agent.deb.sig

AMD64

Ubuntu

https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb

https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb.sig

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb.sig

AMD64

Windows

https://s3.amazonaws.com/amazoncloudwatch-agent/windows/amd64/latest/amazon-cloudwatch-agent.msi

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/windows/amd64/latest/amazon-cloudwatch-agent.msi

https://s3.amazonaws.com/amazoncloudwatch-agent/windows/amd64/latest/amazon-cloudwatch-agent.msi.sig

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/windows/amd64/latest/amazon-cloudwatch-agent.msi.sig

ARM64

Amazon Linux 2

https://s3.amazonaws.com/amazoncloudwatch-agent/amazon_linux/arm64/latest/amazon-cloudwatch-agent.rpm

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/amazon_linux/arm64/latest/amazon-cloudwatch-agent.rpm

https://s3.amazonaws.com/amazoncloudwatch-agent/amazon_linux/arm64/latest/amazon-cloudwatch-agent.rpm.sig

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/amazon_linux/arm64/latest/amazon-cloudwatch-agent.rpm.sig

ARM64

Redhat

https://s3.amazonaws.com/amazoncloudwatch-agent/redhat/arm64/latest/amazon-cloudwatch-agent.rpm

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/redhat/arm64/latest/amazon-cloudwatch-agent.rpm

https://s3.amazonaws.com/amazoncloudwatch-agent/redhat/arm64/latest/amazon-cloudwatch-agent.rpm.sig

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/redhat/arm64/latest/amazon-cloudwatch-agent.rpm.sig

ARM64

Ubuntu

https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/arm64/latest/amazon-cloudwatch-agent.deb

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/ubuntu/arm64/latest/amazon-cloudwatch-agent.deb

https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/arm64/latest/amazon-cloudwatch-agent.deb.sig

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/ubuntu/arm64/latest/amazon-cloudwatch-agent.deb.sig

ARM64

SUSE

https://s3.amazonaws.com/amazoncloudwatch-agent/suse/arm64/latest/amazon-cloudwatch-agent.rpm

https://s3.region.amazonaws.com/amazoncloudwatch-agent-region/suse/arm64/latest/amazon-cloudwatch-agent.rpm

https://s3.amazonaws.com/amazoncloudwatch-agent/suse/arm64/latest/amazon-cloudwatch-agent.rpm.sig

https://s3.region.amazonaws.com/amazoncloudwatch-agent-regionsuse/arm64/latest/amazon-cloudwatch-agent.rpm.sig

验证 Linux 服务器上的 CloudWatch 代理软件包

  1. 下载公有密钥。

    shell$ wget https://s3.amazonaws.com/amazoncloudwatch-agent/assets/amazon-cloudwatch-agent.gpg

  2. 将公有密钥导入到您的密钥环中。

    shell$  gpg --import amazon-cloudwatch-agent.gpg
gpg: key 3B789C72: public key "Amazon CloudWatch Agent" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

    请记下密钥值,因为需要在下一步中使用该值。在上一示例中,密钥值为 3B789C72

  3. 通过运行以下命令,将 key-value 替换为上一步中的值来验证指纹: 

    shell$  gpg --fingerprint key-value
pub   2048R/3B789C72 2017-11-14
      Key fingerprint = 9376 16F3 450B 7D80 6CBD  9725 D581 6730 3B78 9C72
uid                  Amazon CloudWatch Agent

    指纹字符串应等于以下内容:

    9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72

    如果指纹字符串不匹配,请不要安装该代理。联系 Amazon Web Services。

    在验证指纹后,您可以使用该指纹验证 CloudWatch 代理软件包的签名。

  4. 使用 wget 下载软件包签名文件。要确定正确的签名文件,请参阅前一个表: 

    wget Signature File Link

  5. 要验证签名,请运行 gpg --verify

    shell$ gpg --verify signature-filename agent-download-filename
gpg: Signature made Wed 29 Nov 2017 03:00:59 PM PST using RSA key ID 3B789C72
gpg: Good signature from "Amazon CloudWatch Agent"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9376 16F3 450B 7D80 6CBD  9725 D581 6730 3B78 9C72

    如果输出包含短语 BAD signature,则检查是否正确执行了此过程。如果您继续获得该响应,请与 Amazon Web Services 联系,并避免使用下载文件。

    请注意有关信任的警告。只有当您或您信任的某个人对密钥进行了签名,密钥才是可信的。这并不意味着签名无效,只是您尚未验证公有密钥而已。

验证运行 Windows Server 的服务器上的 CloudWatch 代理软件包

  1. https://gnupg.org/download/ 中下载并安装适用于 Windows 的 GnuPG。在安装时,请包含 Shell 扩展 (GpgEx) 选项。

    您可以在 Windows PowerShell 中执行其余步骤。

  2. 下载公有密钥。

    PS> wget https://s3.amazonaws.com/amazoncloudwatch-agent/assets/amazon-cloudwatch-agent.gpg -OutFile amazon-cloudwatch-agent.gpg

  3. 将公有密钥导入到您的密钥环中。

    PS>  gpg --import amazon-cloudwatch-agent.gpg
gpg: key 3B789C72: public key "Amazon CloudWatch Agent" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

    请记下密钥值,因为需要在下一步中使用该值。在上一示例中,密钥值为 3B789C72

  4. 通过运行以下命令,将 key-value 替换为上一步中的值来验证指纹: 

    PS>  gpg --fingerprint key-value
pub   rsa2048 2017-11-14 [SC]
      9376 16F3 450B 7D80 6CBD  9725 D581 6730 3B78 9C72
uid           [ unknown] Amazon CloudWatch Agent

    指纹字符串应等于以下内容:

    9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72

    如果指纹字符串不匹配,请不要安装该代理。联系 Amazon Web Services。

    在验证指纹后,您可以使用该指纹验证 CloudWatch 代理软件包的签名。

  5. 使用 wget 下载软件包签名文件。要确定正确的签名文件,请参阅 CloudWatch 代理下载链接

  6. 要验证签名,请运行 gpg --verify

    PS> gpg --verify sig-filename agent-download-filename
gpg: Signature made 11/29/17 23:00:45 Coordinated Universal Time
gpg:                using RSA key D58167303B789C72
gpg: Good signature from "Amazon CloudWatch Agent" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9376 16F3 450B 7D80 6CBD  9725 D581 6730 3B78 9C72

    如果输出包含短语 BAD signature,则检查是否正确执行了此过程。如果您继续获得该响应,请与 Amazon Web Services 联系,并避免使用下载文件。

    请注意有关信任的警告。只有当您或您信任的某个人对密钥进行了签名,密钥才是可信的。这并不意味着签名无效,只是您尚未验证公有密钥而已。