验证 CloudWatch 代理软件包的签名
包含 GPG 签名文件以用于 Linux 服务器上的 CloudWatch 代理软件包。您可以使用公有密钥验证该代理下载文件是否为原始的而未进行修改。
对于 Windows Server,您可以使用 MSI 验证签名。
对于 macOS 电脑,代理下载软件包中包含签名。
要查找正确的签名文件,请参阅下表。对于每个架构和操作系统,有一个常规链接以及对应于每个区域的链接。例如,对于 Amazon Linux 和 Amazon Linux 2 以及 x86-64 架构,三个有效的链接如下:
-
https://amazoncloudwatch-agent.s3.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig -
https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm -
https://amazoncloudwatch-agent-eu-central-1.s3.eu-central-1.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm
注意
要下载 CloudWatch 代理,您的连接必须使用 TLS 1.2 或更高版本。
| 架构 | 平台 | 下载链接 | 签名文件链接 |
|---|---|---|---|
|
x86-64 |
Amazon Linux 和 Amazon Linux 2 |
https://amazoncloudwatch-agent.s3.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm https://amazoncloudwatch-agent- |
https://amazoncloudwatch-agent.s3.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig https://amazoncloudwatch-agent- |
|
x86-64 |
Centos |
https://amazoncloudwatch-agent.s3.amazonaws.com/centos/amd64/latest/amazon-cloudwatch-agent.rpm https://amazoncloudwatch-agent- |
https://amazoncloudwatch-agent.s3.amazonaws.com/centos/amd64/latest/amazon-cloudwatch-agent.rpm.sig https://amazoncloudwatch-agent- |
|
x86-64 |
Redhat |
https://amazoncloudwatch-agent.s3.amazonaws.com/redhat/amd64/latest/amazon-cloudwatch-agent.rpm https://amazoncloudwatch-agent- |
https://amazoncloudwatch-agent.s3.amazonaws.com/redhat/amd64/latest/amazon-cloudwatch-agent.rpm.sig https://amazoncloudwatch-agent- |
|
x86-64 |
SUSE |
https://amazoncloudwatch-agent.s3.amazonaws.com/suse/amd64/latest/amazon-cloudwatch-agent.rpm https://amazoncloudwatch-agent- |
https://amazoncloudwatch-agent.s3.amazonaws.com/suse/amd64/latest/amazon-cloudwatch-agent.rpm.sig https://amazoncloudwatch-agent- |
|
x86-64 |
Debian |
https://amazoncloudwatch-agent.s3.amazonaws.com/debian/amd64/latest/amazon-cloudwatch-agent.deb https://amazoncloudwatch-agent- |
https://amazoncloudwatch-agent.s3.amazonaws.com/debian/amd64/latest/amazon-cloudwatch-agent.deb.sig https://amazoncloudwatch-agent- |
|
x86-64 |
Ubuntu |
https://amazoncloudwatch-agent.s3.amazonaws.com/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb https://amazoncloudwatch-agent- |
https://amazoncloudwatch-agent.s3.amazonaws.com/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb.sig https://amazoncloudwatch-agent- |
|
x86-64 |
Oracle |
https://amazoncloudwatch-agent.s3.amazonaws.com/oracle_linux/amd64/latest/amazon-cloudwatch-agent.rpm https://amazoncloudwatch-agent- |
https://amazoncloudwatch-agent.s3.amazonaws.com/oracle_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig https://amazoncloudwatch-agent- |
|
x86-64 |
macOS |
https://amazoncloudwatch-agent.s3.amazonaws.com/darwin/amd64/latest/amazon-cloudwatch-agent.pkg https://amazoncloudwatch-agent- |
https://amazoncloudwatch-agent.s3.amazonaws.com/darwin/amd64/latest/amazon-cloudwatch-agent.pkg.sig https://amazoncloudwatch-agent- |
|
x86-64 |
Windows |
https://amazoncloudwatch-agent.s3.amazonaws.com/windows/amd64/latest/amazon-cloudwatch-agent.msi https://amazoncloudwatch-agent- |
https://amazoncloudwatch-agent.s3.amazonaws.com/windows/amd64/latest/amazon-cloudwatch-agent.msi.sig https://amazoncloudwatch-agent- |
|
ARM64 |
Amazon Linux 2 |
https://amazoncloudwatch-agent.s3.amazonaws.com/amazon_linux/arm64/latest/amazon-cloudwatch-agent.rpm https://amazoncloudwatch-agent- |
https://amazoncloudwatch-agent.s3.amazonaws.com/amazon_linux/arm64/latest/amazon-cloudwatch-agent.rpm.sig https://amazoncloudwatch-agent- |
|
ARM64 |
Redhat |
https://amazoncloudwatch-agent.s3.amazonaws.com/redhat/arm64/latest/amazon-cloudwatch-agent.rpm https://amazoncloudwatch-agent- |
https://amazoncloudwatch-agent.s3.amazonaws.com/redhat/arm64/latest/amazon-cloudwatch-agent.rpm.sig https://amazoncloudwatch-agent- |
|
ARM64 |
Ubuntu |
https://amazoncloudwatch-agent.s3.amazonaws.com/ubuntu/arm64/latest/amazon-cloudwatch-agent.deb https://amazoncloudwatch-agent- |
https://amazoncloudwatch-agent.s3.amazonaws.com/ubuntu/arm64/latest/amazon-cloudwatch-agent.deb.sig https://amazoncloudwatch-agent- |
|
ARM64 |
SUSE |
https://amazoncloudwatch-agent.s3.amazonaws.com/suse/arm64/latest/amazon-cloudwatch-agent.rpm https://amazoncloudwatch-agent- |
https://amazoncloudwatch-agent.s3.amazonaws.com/suse/arm64/latest/amazon-cloudwatch-agent.rpm.sig https://amazoncloudwatch-agent- |
验证 Linux 服务器上的 CloudWatch 代理软件包
-
下载公有密钥。
shell$ wget https://amazoncloudwatch-agent.s3.amazonaws.com/assets/amazon-cloudwatch-agent.gpg -
将公有密钥导入到您的密钥环中。
shell$gpg --import amazon-cloudwatch-agent.gpggpg: key 3B789C72: public key "Amazon CloudWatch Agent" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)请记下密钥值,因为需要在下一步中使用该值。在上一示例中,密钥值为
3B789C72。 -
通过运行以下命令,将
key-value替换为上一步中的值来验证指纹:shell$gpg --fingerprintkey-valuepub 2048R/3B789C72 2017-11-14 Key fingerprint = 9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72 uid Amazon CloudWatch Agent指纹字符串应等于以下内容:
9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72如果指纹字符串不匹配,请不要安装该代理。请联系 Amazon Web Services。
在验证指纹后,您可以使用该指纹验证 CloudWatch 代理软件包的签名。
-
使用 wget 下载软件包签名文件。要确定正确的签名文件,请参阅前一个表。
wgetSignature File Link -
要验证签名,请运行 gpg --verify。
shell$gpg --verifysignature-filenameagent-download-filenamegpg: Signature made Wed 29 Nov 2017 03:00:59 PM PST using RSA key ID 3B789C72 gpg: Good signature from "Amazon CloudWatch Agent" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72如果输出包含短语
BAD signature,则检查是否正确执行了此过程。如果您继续获得该响应,请与 Amazon Web Services 联系,并避免使用已下载的文件。请注意有关信任的警告。只有当您或您信任的某个人对密钥进行了签名,密钥才是可信的。这并不意味着签名无效,只是您尚未验证公有密钥而已。
验证运行 Windows Server 的服务器上的 CloudWatch 代理软件包
-
从 https://gnupg.org/download/
中下载并安装适用于 Windows 的 GnuPG。在安装时,请包含 Shell 扩展 (GpgEx) 选项。 您可以在 Windows PowerShell 中执行其余步骤。
-
下载公有密钥。
PS> wget https://amazoncloudwatch-agent.s3.amazonaws.com/assets/amazon-cloudwatch-agent.gpg -OutFile amazon-cloudwatch-agent.gpg -
将公有密钥导入到您的密钥环中。
PS>gpg --import amazon-cloudwatch-agent.gpggpg: key 3B789C72: public key "Amazon CloudWatch Agent" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)请记下密钥值,因为需要在下一步中使用该值。在上一示例中,密钥值为
3B789C72。 -
通过运行以下命令,将
key-value替换为上一步中的值来验证指纹:PS>gpg --fingerprintkey-valuepub rsa2048 2017-11-14 [SC] 9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72 uid [ unknown] Amazon CloudWatch Agent指纹字符串应等于以下内容:
9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72如果指纹字符串不匹配,请不要安装该代理。请联系 Amazon Web Services。
在验证指纹后,您可以使用该指纹验证 CloudWatch 代理软件包的签名。
-
使用 wget 下载软件包签名文件。要确定正确的签名文件,请参阅 CloudWatch 代理下载链接。
-
要验证签名,请运行 gpg --verify。
PS>gpg --verifysig-filenameagent-download-filenamegpg: Signature made 11/29/17 23:00:45 Coordinated Universal Time gpg: using RSA key D58167303B789C72 gpg: Good signature from "Amazon CloudWatch Agent" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72如果输出包含短语
BAD signature,则检查是否正确执行了此过程。如果您继续获得该响应,请与 Amazon Web Services 联系,并避免使用已下载的文件。请注意有关信任的警告。只有当您或您信任的某个人对密钥进行了签名,密钥才是可信的。这并不意味着签名无效,只是您尚未验证公有密钥而已。
验证 macOS 电脑上的 CloudWatch 代理软件包
-
在 macOS 上进行签名验证的方法有两种。
-
通过运行以下命令验证指纹。
pkgutil --check-signature amazon-cloudwatch-agent.pkg您应该会看到类似以下内容的结果。
Package "amazon-cloudwatch-agent.pkg": Status: signed by a developer certificate issued by Apple for distribution Signed with a trusted timestamp on: 2020-10-02 18:13:24 +0000 Certificate Chain: 1. Developer ID Installer: AMZN Mobile LLC (94KV3E626L) Expires: 2024-10-18 22:31:30 +0000 SHA256 Fingerprint: 81 B4 6F AF 1C CA E1 E8 3C 6F FB 9E 52 5E 84 02 6E 7F 17 21 8E FB 0C 40 79 13 66 8D 9F 1F 10 1C ------------------------------------------------------------------------ 2. Developer ID Certification Authority Expires: 2027-02-01 22:12:15 +0000 SHA256 Fingerprint: 7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 F2 9C 88 CF B0 B1 BA 63 58 7F ------------------------------------------------------------------------ 3. Apple Root CA Expires: 2035-02-09 21:40:36 +0000 SHA256 Fingerprint: B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24 或者,下载并使用 sig 格式文件。若要使用此方法,请按照下列步骤操作。
通过输入以下命令,将 GPG 应用程序安装到您的 macOS 主机。
brew install GnuPG
-
使用 curl 下载软件包签名文件。要确定正确的签名文件,请参阅 CloudWatch 代理下载链接。
-
要验证签名,请运行 gpg --verify。
PS>gpg --verifysig-filenameagent-download-filenamegpg: Signature made 11/29/17 23:00:45 Coordinated Universal Time gpg: using RSA key D58167303B789C72 gpg: Good signature from "Amazon CloudWatch Agent" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72如果输出包含短语
BAD signature,则检查是否正确执行了此过程。如果您继续获得该响应,请与 Amazon Web Services 联系,并避免使用已下载的文件。请注意有关信任的警告。只有当您或您信任的某个人对密钥进行了签名,密钥才是可信的。这并不意味着签名无效,只是您尚未验证公有密钥而已。
-
