驗證 SSM Agent 的簽章 - AWS Systems Manager

驗證 SSM Agent 的簽章

Linux 執行個體的 AWS Systems Manager Agent (SSM Agent) Deb 和 rpm 安裝程式套件都經過加密簽署。您可以使用公有金鑰來驗證代理程式套件為原版且未經修改。如果檔案有任何損壞或更改,驗證會失敗。您可以使用 RPM 或 GPG 來驗證安裝程式套件的簽章。

若要尋找執行個體架構和作業系統的正確簽章檔案,請參閱下表。

region 代表 AWS Systems Manager 支援之 AWS 區域 的識別符,例如 us-east-2 代表美國東部 (俄亥俄) 區域。如需 region 值的清單,請參閱《Amazon Web Services 一般參考》中 Systems Manager 服務端點中的 Region (區域) 資料欄。

架構 作業系統 簽章檔案 URL 代理程式下載檔案名稱
Intel 64-bit (x86_64)

Amazon Linux、Amazon Linux 2、CentOS、RHEL、Oracle Linux、SLES

https://s3.region.amazonaws.com/amazon-ssm-region/latest/linux_amd64/amazon-ssm-agent.rpm.sig

https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm.sig

amazon-ssm-agent.rpm

Intel 64-bit (x86_64)

Debian Server、Ubuntu Server

https://s3.region.amazonaws.com/amazon-ssm-region/latest/debian_amd64/amazon-ssm-agent.deb.sig

https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb.sig

amazon-ssm-agent.deb
Intel 32-bit (x86)

Amazon Linux、Amazon Linux 2、CentOS、RHEL

https://s3.region.amazonaws.com/amazon-ssm-region/latest/linux_386/amazon-ssm-agent.rpm.sig

https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_386/amazon-ssm-agent.rpm.sig

amazon-ssm-agent.rpm

Intel 32-bit (x86)

Ubuntu Server

https://s3.region.amazonaws.com/amazon-ssm-region/latest/debian_386/amazon-ssm-agent.deb.sig

https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_386/amazon-ssm-agent.deb.sig

amazon-ssm-agent.deb

ARM 64-bit (arm64)

Amazon Linux、Amazon Linux 2、CentOS、RHEL

https://s3.region.amazonaws.com/amazon-ssm-region/latest/linux_arm64/amazon-ssm-agent.rpm.sig

https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_arm64/amazon-ssm-agent.rpm.sig

amazon-ssm-agent.rpm
GPG

在 Linux 伺服器上驗證 SSM Agent 套件

  1. 複製下列公有金鑰,並將它儲存至名為 amazon-ssm-agent.gpg 的檔案。

    -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux) mQENBF98p2YBCADgfK6NJS/1UFMEBq+DbHrLGCPR7uabN7KByIWJ6X0gGqxad0y7 kP+M2YhWVlteeytpJgEEzKFIXkv7vZdRIjCrgIiNISdvDyYOTNQ2n5Ck5XPnJTQg n5HIRccvc+Lwdidl8auiCYteDCDCGM5EPb7vUrbrg+y4RkXeBNErzo7rbVnWW4QC z8x6EVLb24w/AONHLxywwunagorWiVBP6snrBoz2d2wQYAfpPmPsoLRAURiMnubG bDOM9hb5bGi2OY92L9fVChVRGJnxMNYPCQWFyUovRis9fKnmP1LopUmlNSmSqUj1 AD7WRDMGn2Ruf+HYEZuY+pDD/C2ejcJtjDJTABEBAAG0J1NTTSBBZ2VudCA8c3Nt LWFnZW50LXNpZ25lckBhbWF6b24uY29tPokBPwQTAQIAKQUCX3ynZgIbLwUJAsaY gAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEFT09W5pPsohHGQIALMvf8oq wEU5gph5SlrjYTIqZqsvyV8RKsUEFin5EDkeLC5ALpsby6rAWnobCy2Ce1p4buS+ sA/PFKkraVWtpmqOOkCZoBJTWZyR3KtY7y2pTUWl7aaj20NEO/nPI1VH/E47iH7m scYAOxbNOcEbRiip7AdXZXK7nKda51q/b6G92fM86pl8VPBAh6ijMNmEEZxIAWH2 AGY7Y9imwnp+UpUUwsJb3/L0asqMecPrYJLGWke6EYGPuDfxYb1+YOuZOY/mjDJJ z6f7G2nCuDMniabydk3269eLRPuRHUq4P5Sv+I/zdJI4B8lOJfJRpy/mwGwAU74l s7csneMjUO2zIzaJAhwEEAECAAYFAl98p2YACgkQfdCXo9rX9fzFHw//akOS57o3 lyQySKmbEpAhDrEcg4NGqidlp3NjqkxKmmK5GMwC+wJS+hmwuBiMH1knSaxc/0ie XmtxHsmDn8JmREypkfUS+vAONlmsuFJUjXipa5cAP4YjPMTW7HNxC/WrLV6NSuQZ 5nweVeXAQPxjOoNaAOOk1hlUuGdypPxCNV6NYLm5W7jz1buDYOhNwPvVP63wy1BK ME4HzE94ggCxnXdafJU2KR11Mj/9LRFeDJ8X8huSKOFNOy2IotuW5VmxlDvbkvDT ceelqWJjh5CsWKmWActoxqtyiedQqxgsxFuwqVIWxP758C3NP1zpxvr8SXxdJBy3 8U4iHC3I89zlX4x4tPiMn3vQOq+RhnZEzEphrmPkQAaq6H160hHxQz44DoM8jDIn f/EbWKPkw+p5679JUrXIZDOYP2OlbKoAY4axfCwvjIqAQ5KWFQyKmWyoRwTl4IrC bAXqljtqzyF20g2puNpxpvxT8CF+YaKYPKqXAbZkBQoOoPBbEGGG19BX5rCBehTx QwBAgmmk7FG162TY2uivbwjmguh4DM4PgEoHtsgg9UVM+A+M5tIuEeTC5jWgzEcf VkwTY6N+3XNvAnYNobND8mvN+QAJG7NpryX1fNBaxGsze3QBL42v/zFmG6VSfINp 4H01UHp8Pmidk8axmi+w6hoqB+uDo3lgd6U= =c8Y2 -----END PGP PUBLIC KEY BLOCK-----
  2. 將公有金鑰匯入至您的 keyring,並記下傳回的鍵值。

    gpg --import amazon-ssm-agent.gpg
  3. 驗證指紋。請務必將 key-value 取代為上述步驟中的值。即使您使用 RPM 來驗證安裝程式套件,我們仍建議您使用 GPG 來驗證指紋。

    gpg --fingerprint key-value

    此命令會傳回類似以下的輸出。

    pub 2048R/693ECA21 2020-10-06 [expires: 2022-03-29] Key fingerprint = 8108 A07A 9EBE 248E 3F1C 63F2 54F4 F56E 693E CA21 uid SSM Agent <ssm-agent-signer@amazon.com>

    指紋應該符合下列項目。

    8108 A07A 9EBE 248E 3F1C 63F2 54F4 F56E 693E CA21

    若指紋不相符,請勿安裝代理程式。請聯絡 AWS Support。

  4. 如果您尚未下載簽章檔案,請根據執行個體的架構和作業系統進行下載。

  5. 確認安裝程式套件簽章。請務必將 signature-filenameagent-download-filename 取代為您在下載簽章檔案和代理程式時指定的值。

    gpg --verify signature-filename agent-download-filename

    此命令會傳回類似以下的輸出。

    gpg: Signature made Wed 07 Oct 2020 05:52:47 PM UTC using RSA key ID 693ECA21 gpg: Good signature from "SSM Agent <ssm-agent-signer@amazon.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8108 A07A 9EBE 248E 3F1C 63F2 54F4 F56E 693E CA21

    如果輸出包含 BAD signature 片語,請檢查您是否已正確執行程序。如果您持續收到此回應,請聯絡 AWS Support 並且不要安裝代理程式。關於信任的警告訊息並不表示該簽章無效,只是您尚未驗證該公有金鑰。只有您或您信任者所簽章的金鑰才能信任。

RPM

在 Linux 伺服器上驗證 SSM Agent 套件

  1. 複製下列公有金鑰,並將它儲存至名為 amazon-ssm-agent.gpg 的檔案。

    -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux) mQENBF98p2YBCADgfK6NJS/1UFMEBq+DbHrLGCPR7uabN7KByIWJ6X0gGqxad0y7 kP+M2YhWVlteeytpJgEEzKFIXkv7vZdRIjCrgIiNISdvDyYOTNQ2n5Ck5XPnJTQg n5HIRccvc+Lwdidl8auiCYteDCDCGM5EPb7vUrbrg+y4RkXeBNErzo7rbVnWW4QC z8x6EVLb24w/AONHLxywwunagorWiVBP6snrBoz2d2wQYAfpPmPsoLRAURiMnubG bDOM9hb5bGi2OY92L9fVChVRGJnxMNYPCQWFyUovRis9fKnmP1LopUmlNSmSqUj1 AD7WRDMGn2Ruf+HYEZuY+pDD/C2ejcJtjDJTABEBAAG0J1NTTSBBZ2VudCA8c3Nt LWFnZW50LXNpZ25lckBhbWF6b24uY29tPokBPwQTAQIAKQUCX3ynZgIbLwUJAsaY gAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEFT09W5pPsohHGQIALMvf8oq wEU5gph5SlrjYTIqZqsvyV8RKsUEFin5EDkeLC5ALpsby6rAWnobCy2Ce1p4buS+ sA/PFKkraVWtpmqOOkCZoBJTWZyR3KtY7y2pTUWl7aaj20NEO/nPI1VH/E47iH7m scYAOxbNOcEbRiip7AdXZXK7nKda51q/b6G92fM86pl8VPBAh6ijMNmEEZxIAWH2 AGY7Y9imwnp+UpUUwsJb3/L0asqMecPrYJLGWke6EYGPuDfxYb1+YOuZOY/mjDJJ z6f7G2nCuDMniabydk3269eLRPuRHUq4P5Sv+I/zdJI4B8lOJfJRpy/mwGwAU74l s7csneMjUO2zIzaJAhwEEAECAAYFAl98p2YACgkQfdCXo9rX9fzFHw//akOS57o3 lyQySKmbEpAhDrEcg4NGqidlp3NjqkxKmmK5GMwC+wJS+hmwuBiMH1knSaxc/0ie XmtxHsmDn8JmREypkfUS+vAONlmsuFJUjXipa5cAP4YjPMTW7HNxC/WrLV6NSuQZ 5nweVeXAQPxjOoNaAOOk1hlUuGdypPxCNV6NYLm5W7jz1buDYOhNwPvVP63wy1BK ME4HzE94ggCxnXdafJU2KR11Mj/9LRFeDJ8X8huSKOFNOy2IotuW5VmxlDvbkvDT ceelqWJjh5CsWKmWActoxqtyiedQqxgsxFuwqVIWxP758C3NP1zpxvr8SXxdJBy3 8U4iHC3I89zlX4x4tPiMn3vQOq+RhnZEzEphrmPkQAaq6H160hHxQz44DoM8jDIn f/EbWKPkw+p5679JUrXIZDOYP2OlbKoAY4axfCwvjIqAQ5KWFQyKmWyoRwTl4IrC bAXqljtqzyF20g2puNpxpvxT8CF+YaKYPKqXAbZkBQoOoPBbEGGG19BX5rCBehTx QwBAgmmk7FG162TY2uivbwjmguh4DM4PgEoHtsgg9UVM+A+M5tIuEeTC5jWgzEcf VkwTY6N+3XNvAnYNobND8mvN+QAJG7NpryX1fNBaxGsze3QBL42v/zFmG6VSfINp 4H01UHp8Pmidk8axmi+w6hoqB+uDo3lgd6U= =c8Y2 -----END PGP PUBLIC KEY BLOCK-----
  2. 將公有金鑰匯入至您的 keyring,並記下傳回的鍵值。

    rpm --import amazon-ssm-agent.gpg
  3. 驗證指紋。請務必將 key-value 取代為上述步驟中的值。即使您使用 RPM 來驗證安裝程式套件,我們仍建議您使用 GPG 來驗證指紋。

    gpg --fingerprint key-value

    此命令會傳回類似以下的輸出。

    pub 2048R/693ECA21 2020-10-06 [expires: 2022-03-29] Key fingerprint = 8108 A07A 9EBE 248E 3F1C 63F2 54F4 F56E 693E CA21 uid SSM Agent <ssm-agent-signer@amazon.com>

    指紋應該符合下列項目。

    8108 A07A 9EBE 248E 3F1C 63F2 54F4 F56E 693E CA21

    若指紋不相符,請勿安裝代理程式。請聯絡 AWS Support。

  4. 確認安裝程式套件簽章。請務必將 signature-filenameagent-download-filename 取代為您在下載簽章檔案和代理程式時指定的值。

    rpm --checksig agent-download-filename

    此命令會傳回類似以下的輸出。

    amazon-ssm-agent-2.3.1319.0-1.amzn2.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

    如果輸出中缺失 pgp,且您已匯入公有金鑰,則不會簽署代理程式。如果輸出包含 NOT OK (MISSING KEYS: (MD5) key-id) 片語,請檢查您是否已正確執行程序。如果您持續收到此回應,請聯絡 AWS Support 並且不要安裝代理程式。