本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
验证 CloudWatch 代理软件包的签名
包含 GPG 签名文件以用于 Linux 服务器上的 CloudWatch 代理软件包。您可以使用公有密钥验证该代理下载文件是否为原始的而未进行修改。
对于 Windows Server,您可以使用 MSI 验证签名。
要查找正确的签名文件,请参阅下表。对于每个架构和操作系统,有一个常规链接以及对应于每个区域的链接。例如,对于 Amazon Linux 和 Amazon Linux 2 以及 AMD64 架构,有下面三个有效的链接:
-
https://s3.amazonaws.com/amazoncloudwatch-agent/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig
-
https://s3.us-east-1.amazonaws.com/amazoncloudwatch-agent-us-east-1/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig
-
https://s3.eu-central-1.amazonaws.com/amazoncloudwatch-agent-eu-central-1/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig
架构 | 平台 | 下载链接 | 签名文件链接 |
---|---|---|---|
AMD64 |
Amazon Linux 和 Amazon Linux 2 |
https://s3.amazonaws.com/amazoncloudwatch-agent/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm https://s3。 |
https://s3.amazonaws.com/amazoncloudwatch-agent/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig https://s3。 |
AMD64 |
Centos |
https://s3.amazonaws.com/amazoncloudwatch-agent/centos/amd64/latest/amazon-cloudwatch-agent.rpm https://s3。 |
https://s3.amazonaws.com/amazoncloudwatch-agent/centos/amd64/latest/amazon-cloudwatch-agent.rpm.sig https://s3。 |
AMD64 |
Redhat |
https://s3.amazonaws.com/amazoncloudwatch-agent/redhat/amd64/latest/amazon-cloudwatch-agent.rpm https://s3。 |
https://s3.amazonaws.com/amazoncloudwatch-agent/redhat/amd64/latest/amazon-cloudwatch-agent.rpm.sig https://s3。 |
AMD64 |
SUSE |
https://s3.amazonaws.com/amazoncloudwatch-agent/suse/amd64/latest/amazon-cloudwatch-agent.rpm https://s3。 |
https://s3.amazonaws.com/amazoncloudwatch-agent/suse/amd64/latest/amazon-cloudwatch-agent.rpm.sig https://s3。 |
AMD64 |
Debian |
https://s3.amazonaws.com/amazoncloudwatch-agent/debian/amd64/latest/amazon-cloudwatch-agent.deb https://s3。 |
https://s3.amazonaws.com/amazoncloudwatch-agent/debian/amd64/latest/amazon-cloudwatch-agent.deb.sig https://s3。 |
AMD64 |
Ubuntu |
https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb https://s3。 |
https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb.sig https://s3。 |
AMD64 |
Oracle |
https://s3.amazonaws.com/amazoncloudwatch-agent/oracle_linux/amd64/latest/amazon-cloudwatch-agent.rpm https://s3。 |
https://s3.amazonaws.com/amazoncloudwatch-agent/oracle_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig https://s3。 |
AMD64 |
Windows |
https://s3.amazonaws.com/amazoncloudwatch-agent/windows/amd64/latest/amazon-cloudwatch-agent.msi https://s3。 |
https://s3.amazonaws.com/amazoncloudwatch-agent/windows/amd64/latest/amazon-cloudwatch-agent.msi.sig https://s3。 |
ARM64 |
Amazon Linux 2 |
https://s3.amazonaws.com/amazoncloudwatch-agent/amazon_linux/arm64/latest/amazon-cloudwatch-agent.rpm https://s3。 |
https://s3.amazonaws.com/amazoncloudwatch-agent/amazon_linux/arm64/latest/amazon-cloudwatch-agent.rpm.sig https://s3。 |
ARM64 |
Redhat |
https://s3.amazonaws.com/amazoncloudwatch-agent/redhat/arm64/latest/amazon-cloudwatch-agent.rpm https://s3。 |
https://s3.amazonaws.com/amazoncloudwatch-agent/redhat/arm64/latest/amazon-cloudwatch-agent.rpm.sig https://s3。 |
ARM64 |
Ubuntu |
https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/arm64/latest/amazon-cloudwatch-agent.deb https://s3。 |
https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/arm64/latest/amazon-cloudwatch-agent.deb.sig https://s3。 |
ARM64 |
SUSE |
https://s3.amazonaws.com/amazoncloudwatch-agent/suse/arm64/latest/amazon-cloudwatch-agent.rpm https://s3。 |
https://s3.amazonaws.com/amazoncloudwatch-agent/suse/arm64/latest/amazon-cloudwatch-agent.rpm.sig https://s3。 |
验证 Linux 服务器上的 CloudWatch 代理软件包
-
下载公有密钥。
shell$ wget https://s3.amazonaws.com/amazoncloudwatch-agent/assets/amazon-cloudwatch-agent.gpg
-
将公有密钥导入到您的密钥环中。
shell$
gpg --import amazon-cloudwatch-agent.gpggpg: key 3B789C72: public key "Amazon CloudWatch Agent" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
请记下密钥值,因为需要在下一步中使用该值。在上一示例中,密钥值为
3B789C72
。 -
通过运行以下命令验证指纹,同时替换
key-value
替换为上一步中的值:shell$
gpg --fingerprintkey-value
pub 2048R/3B789C72 2017-11-14 Key fingerprint = 9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72 uid Amazon CloudWatch Agent
指纹字符串应等于以下内容:
9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72
如果指纹字符串不匹配,请不要安装该代理。联系 Amazon Web Services。
在验证指纹后,您可以使用该指纹验证 CloudWatch 代理软件包的签名。
-
使用 wget 下载软件包签名文件。 要确定正确的签名文件,请参阅上表。
wget
Signature File Link
-
要验证签名,请运行 gpg --verify。
shell$
gpg --verifysignature-filename
agent-download-filename
gpg: Signature made Wed 29 Nov 2017 03:00:59 PM PST using RSA key ID 3B789C72 gpg: Good signature from "Amazon CloudWatch Agent" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72
如果输出包含短语
BAD signature
,则检查是否正确执行了此过程。如果您继续获得该响应,请与 Amazon Web Services 联系,并避免使用下载文件。请注意有关信任的警告。只有当您或您信任的某个人对密钥进行了签名,密钥才是可信的。这并不意味着签名无效,只是您尚未验证公有密钥而已。
验证运行 Windows Server 的服务器上的 CloudWatch 代理软件包
-
从 GnuPG 下载并安装适用于 Windows 的 https://gnupg.org/download/
。在安装时,请包含 Shell 扩展 (GpgEx) 选项。 您可以在 Windows PowerShell 中执行剩余步骤。
-
下载公有密钥。
PS> wget https://s3.amazonaws.com/amazoncloudwatch-agent/assets/amazon-cloudwatch-agent.gpg -OutFile amazon-cloudwatch-agent.gpg
-
将公有密钥导入到您的密钥环中。
PS>
gpg --import amazon-cloudwatch-agent.gpggpg: key 3B789C72: public key "Amazon CloudWatch Agent" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
请记下密钥值,因为需要在下一步中使用该值。在上一示例中,密钥值为
3B789C72
。 -
通过运行以下命令验证指纹,同时替换
key-value
替换为上一步中的值:PS>
gpg --fingerprintkey-value
pub rsa2048 2017-11-14 [SC] 9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72 uid [ unknown] Amazon CloudWatch Agent
指纹字符串应等于以下内容:
9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72
如果指纹字符串不匹配,请不要安装该代理。联系 Amazon Web Services。
在验证指纹后,您可以使用该指纹验证 CloudWatch 代理软件包的签名。
-
使用 wget 下载软件包签名文件。要确定正确的签名文件,请参阅 CloudWatch 代理下载链接。
-
要验证签名,请运行 gpg --verify。
PS>
gpg --verifysig-filename
agent-download-filename
gpg: Signature made 11/29/17 23:00:45 Coordinated Universal Time gpg: using RSA key D58167303B789C72 gpg: Good signature from "Amazon CloudWatch Agent" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72
如果输出包含短语
BAD signature
,则检查是否正确执行了此过程。如果您继续获得该响应,请与 Amazon Web Services 联系,并避免使用下载文件。请注意有关信任的警告。只有当您或您信任的某个人对密钥进行了签名,密钥才是可信的。这并不意味着签名无效,只是您尚未验证公有密钥而已。