Verifying the signature of the CloudWatch agent package
GPG signature files are included for CloudWatch agent packages on Linux servers. You can use a public key to verify the agent download file is original and unmodified.
For Windows Server, you can use the MSI to verify the signature. For macOS computers, the signature is included in the agent download package.
To find the correct signature file, use the following table. For each architecture and operating system, you can see a general link and links for each Region. For example, for Amazon Linux 2023 and Amazon Linux 2 and the x86-64 architecture, three of the valid links are:
-
https://amazoncloudwatch-agent.s3.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm.sig
-
https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm
-
https://amazoncloudwatch-agent-eu-central-1.s3.eu-central-1.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm
Note
To download the CloudWatch agent, your connection must use TLS 1.2 or later.
To verify the CloudWatch agent package on a Linux server
-
Download the public key.
-
Import the public key into your keyring.
shell$
gpg --import amazon-cloudwatch-agent.gpggpg: key 3B789C72: public key "Amazon CloudWatch Agent" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
Make a note of the key value, as you need it in the next step. In the preceding example, the key value is
3B789C72
. -
Verify the fingerprint by running the following command, replacing
key-value
with the value from the preceding step:shell$
gpg --fingerprintkey-value
pub 2048R/3B789C72 2017-11-14 Key fingerprint = 9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72 uid Amazon CloudWatch Agent
The fingerprint string should be equal to the following:
9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72
If the fingerprint string doesn't match, don't install the agent. Contact Amazon Web Services.
After you have verified the fingerprint, you can use it to verify the signature of the CloudWatch agent package.
-
Download the package signature file using wget. To determine the correct signature file, see the preceding table.
wget
Signature File Link
-
To verify the signature, run gpg --verify.
shell$
gpg --verifysignature-filename
agent-download-filename
gpg: Signature made Wed 29 Nov 2017 03:00:59 PM PST using RSA key ID 3B789C72 gpg: Good signature from "Amazon CloudWatch Agent" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72
If the output includes the phrase
BAD signature
, check whether you performed the procedure correctly. If you continue to get this response, contact Amazon Web Services and avoid using the downloaded file.Note the warning about trust. A key is trusted only if you or someone who you trust has signed it. This doesn't mean that the signature is invalid, only that you have not verified the public key.