本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
可选:验证 Amazon SAMCLI 安装程序的完整性
使用软件包安装程序安装 Amazon Serverless Application Model 命令行界面 (Amazon SAM CLI) 时,可以在安装前验证安装程序的完整性。此步骤是可选的,但我们强烈建议您执行此步骤。
可供您使用的两个验证选项是:
-
验证软件包安装程序签名文件。
-
验证软件包安装程序的哈希值。
如果可用于您的平台,我们建议您验证签名文件选项。此选项提供额外的安全层,因为密钥值在此处发布,并且与 GitHub 存储库分开管理。
验证安装程序包签名文件
Linux
arm64:命令行安装程序
Amazon SAM 使用 GnuPG
-
使用主公钥验证签署人公钥。
-
使用签署人公钥验证 Amazon SAM CLI 软件包安装程序。
验证签署人公钥的完整性
-
复制主公钥并将其作为
.txt
文件保存到本地计算机。例如,
。primary-public-key.txt
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux) mQINBGRuSzMBEADsqiwOy78w7F4+sshaMFRIwRGNRm94p5Qey2KMZBxekFtoryVD D9jEOnvupx4tvhfBHz5EcUHCEOdl4MTqdBy6vVAshozgxVb9RE8JpECn5lw7XC69 4Y7Gy1TKKQMEWtDXElkGxIFdUWvWjSnPlzfnoXwQYGeE93CUS3h5dImP22Yk1Ct6 eGGhlcbg1X4L8EpFMj7GvcsU8f7ziVI/PyC1Xwy39Q8/I67ip5eU5ddxO/xHqrbL YC7+8pJPbRMej2twT2LrcpWWYAbprMtRoa6WfE0/thoo3xhHpIMHdPfAA86ZNGIN kRLjGUg7jnPTRW4Oin3pCc8nT4Tfc1QERkHm641gTC/jUvpmQsM6h/FUVP2i5iE/ JHpJcMuL2Mg6zDo3x+3gTCf+Wqz3rZzxB+wQT3yryZs6efcQy7nROiRxYBxCSXX0 2cNYzsYLb/bYaW8yqWIHD5IqKhw269gp2E5Khs60zgS3CorMb5/xHgXjUCVgcu8a a8ncdf9fjl3WS5p0ohetPbO2ZjWv+MaqrZOmUIgKbA4RpWZ/fU97P5BW9ylwmIDB sWy0cMxg8MlvSdLytPieogaM0qMg3u5qXRGBr6Wmevkty0qgnmpGGc5zPiUbtOE8 CnFFqyxBpj5IOnG0KZGVihvn+iRxrv6GO7WWO92+Dc6m94U0EEiBR7QiOwARAQAB tDRBV1MgU0FNIENMSSBQcmltYXJ5IDxhd3Mtc2FtLWNsaS1wcmltYXJ5QGFtYXpv bi5jb20+iQI/BBMBCQApBQJkbkszAhsvBQkHhM4ABwsJCAcDAgEGFQgCCQoLBBYC AwECHgECF4AACgkQQv1fenOtiFqTuhAAzi5+ju5UVOWqHKevOJSO08T4QB8HcqAE SVO3mY6/j29knkcL8ubZP/DbpV7QpHPI2PB5qSXsiDTP3IYPbeY78zHSDjljaIK3 njJLMScFeGPyfPpwMsuY4nzrRIgAtXShPA8N/k4ZJcafnpNqKj7QnPxiC1KaIQWm pOtvb8msUF3/s0UTa5Ys/lNRhVC0eGg32ogXGdojZA2kHZWdm9udLo4CDrDcrQT7 NtDcJASapXSQL63XfAS3snEc4e1941YxcjfYZ33rel8K9juyDZfi1slWR/L3AviI QFIaqSHzyOtP1oinUkoVwL8ThevKD3Ag9CZflZLzNCV7yqlF8RlhEZ4zcE/3s9El WzCFsozb5HfE1AZonmrDh3SyOEIBMcS6vG5dWnvJrAuSYv2rX38++K5Pr/MIAfOX DOI1rtA+XDsHNv9lSwSy0lt+iClawZANO9IXCiN1rOYcVQlwzDFwCNWDgkwdOqS0 gOA2f8NF9lE5nBbeEuYquoOl1Vy8+ICbgOFs9LoWZlnVh7/RyY6ssowiU9vGUnHI L8f9jqRspIz/Fm3JD86ntZxLVGkeZUz62FqErdohYfkFIVcv7GONTEyrz5HLlnpv FJ0MR0HjrMrZrnOVZnwBKhpbLocTsH+3t5It4ReYEX0f1DIOL/KRwPvjMvBVkXY5 hblRVDQoOWc= =d9oG -----END PGP PUBLIC KEY BLOCK-----
-
将主公钥导入到您的密钥环中。
$
gpg --import
gpg: directory `/home/.../.gnupg' created gpg: new configuration file `/home/.../.gnupg/gpg.conf' created gpg: WARNING: options in `/home/.../.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/.../.gnupg/secring.gpg' created gpg: keyring `/home/.../.gnupg/pubring.gpg' created gpg: /home/.../.gnupg/trustdb.gpg: trustdb created gpg: key 73AD885A: public key "AWS SAM CLI Primary <aws-sam-cli-primary@amazon.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)primary-public-key.txt
-
复制签署人公钥并将其作为
.txt
文件保存到本地计算机。例如,
。signer-public-key.txt
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux) mQINBGRtS20BEAC7GjaAwverrB1zNEu2q3EGI6HC37WzwL5dy30f4LirZOWS3piK oKfTqPjXPrLCf1GL2mMqUSgSnpEbPNXuvWTW1CfSnnjwuH8ZqbvvUQyHJwQyYpKm KMwb+8V0bzzQkMzDVqolYQCi5XyGpAuo3wroxXSzG6r/mIhbiq3aRnL+2lo4XOYk r7q9bhBqbJhzjkm7N62PhPWmi/+/EGdEBakA1pReE+cKjP2UAp5L6CPShQl2fRKL 9BumitNfFHHs1JZgZSCCruiWny3XkUaXUEMfyoE9nNbfqNvuqV2KjWguZCXASgz2 ZSPF4DTVIBMfP+xrZGQSWdGU/67QdysDQW81TbFOjK9ZsRwwGC4kbg/K98IsCNHT ril5RZbyr8pw3fw7jYjjI2ElAacRWp53iRzvutm5AruPpLfoKDQ/tKzBUYItBwlu Z/diKgcqtw7xDlyqNyTN8xFPFqMO2I8IsZ2Pdl131htdFiZMiin1RQG9pV9p2vHS eQVY2uKCnvnA6vFCQYKXP7p0IwReuPNzDvECUsidw8VTakTqZsANT/bU17e4KuKn +JgbNrKOasJX37sDb/9ruysozLvy78ozYKJDLmC3yoRQ8DhEjviT4cnjORgNmvnZ 0a5AA/DJPQW4buRrXdxu+fITzBxQn2+GO/iDNCxtJaq5SYVBKjTmTWPUJwARAQAB tDBBV1MgU0FNIENMSSBUZWFtIDxhd3Mtc2FtLWNsaS1zaWduZXJAYW1hem9uLmNv bT6JAj8EEwEJACkFAmRtS20CGy8FCQPCZwAHCwkIBwMCAQYVCAIJCgsEFgIDAQIe AQIXgAAKCRDHoF9D/grd+lE4D/4kJW65He2LNsbLTta7lcGfsEXCf4zgIvkytS7U 3R36zMD8IEyWJjlZ+aPkIP8/jFJrFl4pVHbU7vX85Iut1vV7m+8BgWt25mJhnoJ9 KPjXGra9mYP+Cj8zFAcjvtl3NBAPodyfcfCTWsU3umF9ArOFICcrGCzHX2SS7wX5 h9n0vYRZxk5Qj5FsgskKAQLq33CKFAMlaqZnL5gWRvTeycSIxsyus+stX+8YBPCO J64f7+y+MPIP1+m2njlVXg1xLEMMVa08oWccOMiakgzDev3LCrPy+wdwdn7Ut7oA pna3DNy9aYNd2lh6vUCJeJ+Yi1Bl2jYpzLcCLKrHUmln9/rRSz7Orbg8P181kfPu G/M7CD5FwhxP3p4+0XoGwxQefrV2jqpSnbLae7xbYJiJAhbpjWDQhuNGUbPcDmqk aH0Q3XU8AonJ8YqaQ/q3VZ3JBiH3TbBrOXsvd59cwxYyf83aJ/WLCb2P8y75zDad lnOP713ThF5J/Afj9HjO9waFV0Z2W2ZZe4rU2OJTAiXEtM8xsFMrc7TCUacJtJGs u4kdBmXREcVpSz65h9ImSy2ner9qktnVVCW4mZPj63IhB37YtoLAMyz3a3R2RFNk viEX8foOTUg1FmwHoftxZ9P91QwLoTajkDrh26ueIe45sG6Uxua2AP4Vo37cFfCj ryV8OokCHAQQAQkABgUCZG5MWAAKCRBC/V96c62IWmglD/9idU43kW8Zy8Af1j8l Am3lI4d9ksOleeKRZqxo/SZ5rovF32DO2nw7XRXq1+EbhgJaI3QwwOi0U0pfAMVT 4b9TdxdH+n+tqzCHh3jZqmo9sw+c9WFXYJN1hU9bLzcHXS8hOTbyoE2EuXx56ds9 L/BWCcd+LIvapw0lggFfavVx/QF4C7nBKjnJ66+xxwfgVIKR7oGlqDiHMfp9ZWh5 HhEqZo/nrNhdY0h3sczEdqC2N6eIa8mgHffHZdKudDMXIXHbgdhW9pcZXDIktVf7 j9wehsWOyYXiRgR0dz7DI26AUG4JLh5FTtx9XuSBdEsI69Jd4dJuibmgtImzbZjn 7un8DJWIyqi7Ckk96Tr4oXB9mYAXaWlR4C9j5XJhMNZgkOycuY2DADnbGmSb+1kA ju77H4ff84+vMDwUzUt2Wwb+GjzXu2g6Wh+bWhGSirYlel+6xYrI6beu1BDCFLq+ VZFE8WggjJHpwcL7CiqadfVIQaw4HY0jQFTSdwzPWhJvYjXFOhMkyCcjssbtmB+z /otfgySyQqThrD48RWS5GuyqCA+pK3UNmEJ11c1AXMdTn2VWInR1NOJNALQ2du3y q8t1vMsErVOJ7pkZ50F4ef17PE6DKrXX8ilwGFyVuX5ddyt/t9J5pC3sRwHWXVZx GXwoX75FwIEHA3n5Q7rZ69Ea6Q== =ZIO7 -----END PGP PUBLIC KEY BLOCK-----
-
将签署人公钥导入到您的密钥环中。
$
gpg --import
gpg: key FE0ADDFA: public key "AWS SAM CLI Team <aws-sam-cli-signer@amazon.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: no ultimately trusted keys foundsigner-public-key.txt
记下输出中的密钥值。例如,
。FE0ADDFA
-
使用密钥值获取并验证签署人公钥的指纹。
$
gpg --fingerprint
pub 4096R/FE0ADDFA 2023-05-23 [expires: 2025-05-22] Key fingerprint = 37D8 BE16 0355 2DA7 BD6A 04D8 C7A0 5F43 FE0A DDFA uid AWS SAM CLI Team <aws-sam-cli-signer@amazon.com>FE0ADDFA
指纹应与以下内容匹配:
37D8 BE16 0355 2DA7 BD6A 04D8 C7A0 5F43 FE0A DDFA
如果指纹字符串不匹配,请不要使用 Amazon SAM CLI 安装程序。通过在 aws-sam-cli GitHub 存储库中创建问题
来上报给 Amazon SAM 团队。 -
验证签署人公钥的签名:
$
gpg --check-sigs
pub 4096R/FE0ADDFA 2023-05-23 [expires: 2025-05-22] uid AWS SAM CLI Team <aws-sam-cli-signer@amazon.com> sig!3 FE0ADDFA 2023-05-23 AWS SAM CLI Team <aws-sam-cli-signer@amazon.com> sig! 73AD885A 2023-05-24 AWS SAM CLI Primary <aws-sam-cli-primary@amazon.com>FE0ADDFA
如果看到
1 signature not checked due to a missing key
,请重复前面的步骤,将主公钥和签署人公钥导入到密钥环中。您应该会看到列出的主公钥和签署人公钥的密钥值。
现在,您已经验证了签署人公钥的完整性,您可以使用签署人公钥来验证 Amazon SAM CLI 软件包安装程序。
验证 Amazon SAM CLI 软件包安装程序的完整性
-
获取 Amazon SAM CLI 软件包签名文件 - 使用以下命令下载 Amazon SAM CLI 软件包安装程序的签名文件:
$
wget https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-arm64.zip.sig
-
验证签名文件 – 将两个下载
.sig
和.zip
文件作为参数传递给gpg
命令。以下是示例:$
gpg --verify
aws-sam-cli-linux-arm64.zip.sig aws-sam-cli-linux-arm64.zip
该输出值应该类似于以下内容:
gpg: Signature made Tue 30 May 2023 10:03:57 AM UTC using RSA key ID FE0ADDFA gpg: Good signature from "AWS SAM CLI Team <aws-sam-cli-signer@amazon.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 37D8 BE16 0355 2DA7 BD6A 04D8 C7A0 5F43 FE0A DDFA
消息
Good signature from "AWS SAM CLI Team <aws-sam-cli-signer@amazon.com>"
表示签名已通过验证,您可以继续安装。
x86_64 - 命令行安装程序
Amazon SAM 使用 GnuPG
-
使用主公钥验证签署人公钥。
-
使用签署人公钥验证 Amazon SAM CLI 软件包安装程序。
验证签署人公钥的完整性
-
复制主公钥并将其作为
.txt
文件保存到本地计算机。例如,
。primary-public-key.txt
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux) mQINBGRuSzMBEADsqiwOy78w7F4+sshaMFRIwRGNRm94p5Qey2KMZBxekFtoryVD D9jEOnvupx4tvhfBHz5EcUHCEOdl4MTqdBy6vVAshozgxVb9RE8JpECn5lw7XC69 4Y7Gy1TKKQMEWtDXElkGxIFdUWvWjSnPlzfnoXwQYGeE93CUS3h5dImP22Yk1Ct6 eGGhlcbg1X4L8EpFMj7GvcsU8f7ziVI/PyC1Xwy39Q8/I67ip5eU5ddxO/xHqrbL YC7+8pJPbRMej2twT2LrcpWWYAbprMtRoa6WfE0/thoo3xhHpIMHdPfAA86ZNGIN kRLjGUg7jnPTRW4Oin3pCc8nT4Tfc1QERkHm641gTC/jUvpmQsM6h/FUVP2i5iE/ JHpJcMuL2Mg6zDo3x+3gTCf+Wqz3rZzxB+wQT3yryZs6efcQy7nROiRxYBxCSXX0 2cNYzsYLb/bYaW8yqWIHD5IqKhw269gp2E5Khs60zgS3CorMb5/xHgXjUCVgcu8a a8ncdf9fjl3WS5p0ohetPbO2ZjWv+MaqrZOmUIgKbA4RpWZ/fU97P5BW9ylwmIDB sWy0cMxg8MlvSdLytPieogaM0qMg3u5qXRGBr6Wmevkty0qgnmpGGc5zPiUbtOE8 CnFFqyxBpj5IOnG0KZGVihvn+iRxrv6GO7WWO92+Dc6m94U0EEiBR7QiOwARAQAB tDRBV1MgU0FNIENMSSBQcmltYXJ5IDxhd3Mtc2FtLWNsaS1wcmltYXJ5QGFtYXpv bi5jb20+iQI/BBMBCQApBQJkbkszAhsvBQkHhM4ABwsJCAcDAgEGFQgCCQoLBBYC AwECHgECF4AACgkQQv1fenOtiFqTuhAAzi5+ju5UVOWqHKevOJSO08T4QB8HcqAE SVO3mY6/j29knkcL8ubZP/DbpV7QpHPI2PB5qSXsiDTP3IYPbeY78zHSDjljaIK3 njJLMScFeGPyfPpwMsuY4nzrRIgAtXShPA8N/k4ZJcafnpNqKj7QnPxiC1KaIQWm pOtvb8msUF3/s0UTa5Ys/lNRhVC0eGg32ogXGdojZA2kHZWdm9udLo4CDrDcrQT7 NtDcJASapXSQL63XfAS3snEc4e1941YxcjfYZ33rel8K9juyDZfi1slWR/L3AviI QFIaqSHzyOtP1oinUkoVwL8ThevKD3Ag9CZflZLzNCV7yqlF8RlhEZ4zcE/3s9El WzCFsozb5HfE1AZonmrDh3SyOEIBMcS6vG5dWnvJrAuSYv2rX38++K5Pr/MIAfOX DOI1rtA+XDsHNv9lSwSy0lt+iClawZANO9IXCiN1rOYcVQlwzDFwCNWDgkwdOqS0 gOA2f8NF9lE5nBbeEuYquoOl1Vy8+ICbgOFs9LoWZlnVh7/RyY6ssowiU9vGUnHI L8f9jqRspIz/Fm3JD86ntZxLVGkeZUz62FqErdohYfkFIVcv7GONTEyrz5HLlnpv FJ0MR0HjrMrZrnOVZnwBKhpbLocTsH+3t5It4ReYEX0f1DIOL/KRwPvjMvBVkXY5 hblRVDQoOWc= =d9oG -----END PGP PUBLIC KEY BLOCK-----
-
将主公钥导入到您的密钥环中。
$
gpg --import
gpg: directory `/home/.../.gnupg' created gpg: new configuration file `/home/.../.gnupg/gpg.conf' created gpg: WARNING: options in `/home/.../.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/.../.gnupg/secring.gpg' created gpg: keyring `/home/.../.gnupg/pubring.gpg' created gpg: /home/.../.gnupg/trustdb.gpg: trustdb created gpg: key 73AD885A: public key "AWS SAM CLI Primary <aws-sam-cli-primary@amazon.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)primary-public-key.txt
-
复制签署人公钥并将其作为
.txt
文件保存到本地计算机。例如,
。signer-public-key.txt
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux) mQINBGRtS20BEAC7GjaAwverrB1zNEu2q3EGI6HC37WzwL5dy30f4LirZOWS3piK oKfTqPjXPrLCf1GL2mMqUSgSnpEbPNXuvWTW1CfSnnjwuH8ZqbvvUQyHJwQyYpKm KMwb+8V0bzzQkMzDVqolYQCi5XyGpAuo3wroxXSzG6r/mIhbiq3aRnL+2lo4XOYk r7q9bhBqbJhzjkm7N62PhPWmi/+/EGdEBakA1pReE+cKjP2UAp5L6CPShQl2fRKL 9BumitNfFHHs1JZgZSCCruiWny3XkUaXUEMfyoE9nNbfqNvuqV2KjWguZCXASgz2 ZSPF4DTVIBMfP+xrZGQSWdGU/67QdysDQW81TbFOjK9ZsRwwGC4kbg/K98IsCNHT ril5RZbyr8pw3fw7jYjjI2ElAacRWp53iRzvutm5AruPpLfoKDQ/tKzBUYItBwlu Z/diKgcqtw7xDlyqNyTN8xFPFqMO2I8IsZ2Pdl131htdFiZMiin1RQG9pV9p2vHS eQVY2uKCnvnA6vFCQYKXP7p0IwReuPNzDvECUsidw8VTakTqZsANT/bU17e4KuKn +JgbNrKOasJX37sDb/9ruysozLvy78ozYKJDLmC3yoRQ8DhEjviT4cnjORgNmvnZ 0a5AA/DJPQW4buRrXdxu+fITzBxQn2+GO/iDNCxtJaq5SYVBKjTmTWPUJwARAQAB tDBBV1MgU0FNIENMSSBUZWFtIDxhd3Mtc2FtLWNsaS1zaWduZXJAYW1hem9uLmNv bT6JAj8EEwEJACkFAmRtS20CGy8FCQPCZwAHCwkIBwMCAQYVCAIJCgsEFgIDAQIe AQIXgAAKCRDHoF9D/grd+lE4D/4kJW65He2LNsbLTta7lcGfsEXCf4zgIvkytS7U 3R36zMD8IEyWJjlZ+aPkIP8/jFJrFl4pVHbU7vX85Iut1vV7m+8BgWt25mJhnoJ9 KPjXGra9mYP+Cj8zFAcjvtl3NBAPodyfcfCTWsU3umF9ArOFICcrGCzHX2SS7wX5 h9n0vYRZxk5Qj5FsgskKAQLq33CKFAMlaqZnL5gWRvTeycSIxsyus+stX+8YBPCO J64f7+y+MPIP1+m2njlVXg1xLEMMVa08oWccOMiakgzDev3LCrPy+wdwdn7Ut7oA pna3DNy9aYNd2lh6vUCJeJ+Yi1Bl2jYpzLcCLKrHUmln9/rRSz7Orbg8P181kfPu G/M7CD5FwhxP3p4+0XoGwxQefrV2jqpSnbLae7xbYJiJAhbpjWDQhuNGUbPcDmqk aH0Q3XU8AonJ8YqaQ/q3VZ3JBiH3TbBrOXsvd59cwxYyf83aJ/WLCb2P8y75zDad lnOP713ThF5J/Afj9HjO9waFV0Z2W2ZZe4rU2OJTAiXEtM8xsFMrc7TCUacJtJGs u4kdBmXREcVpSz65h9ImSy2ner9qktnVVCW4mZPj63IhB37YtoLAMyz3a3R2RFNk viEX8foOTUg1FmwHoftxZ9P91QwLoTajkDrh26ueIe45sG6Uxua2AP4Vo37cFfCj ryV8OokCHAQQAQkABgUCZG5MWAAKCRBC/V96c62IWmglD/9idU43kW8Zy8Af1j8l Am3lI4d9ksOleeKRZqxo/SZ5rovF32DO2nw7XRXq1+EbhgJaI3QwwOi0U0pfAMVT 4b9TdxdH+n+tqzCHh3jZqmo9sw+c9WFXYJN1hU9bLzcHXS8hOTbyoE2EuXx56ds9 L/BWCcd+LIvapw0lggFfavVx/QF4C7nBKjnJ66+xxwfgVIKR7oGlqDiHMfp9ZWh5 HhEqZo/nrNhdY0h3sczEdqC2N6eIa8mgHffHZdKudDMXIXHbgdhW9pcZXDIktVf7 j9wehsWOyYXiRgR0dz7DI26AUG4JLh5FTtx9XuSBdEsI69Jd4dJuibmgtImzbZjn 7un8DJWIyqi7Ckk96Tr4oXB9mYAXaWlR4C9j5XJhMNZgkOycuY2DADnbGmSb+1kA ju77H4ff84+vMDwUzUt2Wwb+GjzXu2g6Wh+bWhGSirYlel+6xYrI6beu1BDCFLq+ VZFE8WggjJHpwcL7CiqadfVIQaw4HY0jQFTSdwzPWhJvYjXFOhMkyCcjssbtmB+z /otfgySyQqThrD48RWS5GuyqCA+pK3UNmEJ11c1AXMdTn2VWInR1NOJNALQ2du3y q8t1vMsErVOJ7pkZ50F4ef17PE6DKrXX8ilwGFyVuX5ddyt/t9J5pC3sRwHWXVZx GXwoX75FwIEHA3n5Q7rZ69Ea6Q== =ZIO7 -----END PGP PUBLIC KEY BLOCK-----
-
将签署人公钥导入到您的密钥环中。
$
gpg --import
gpg: key FE0ADDFA: public key "AWS SAM CLI Team <aws-sam-cli-signer@amazon.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: no ultimately trusted keys foundsigner-public-key.txt
记下输出中的密钥值。例如,
。FE0ADDFA
-
使用密钥值获取并验证签署人公钥的指纹。
$
gpg --fingerprint
pub 4096R/FE0ADDFA 2023-05-23 [expires: 2025-05-22] Key fingerprint = 37D8 BE16 0355 2DA7 BD6A 04D8 C7A0 5F43 FE0A DDFA uid AWS SAM CLI Team <aws-sam-cli-signer@amazon.com>FE0ADDFA
指纹应与以下内容匹配:
37D8 BE16 0355 2DA7 BD6A 04D8 C7A0 5F43 FE0A DDFA
如果指纹字符串不匹配,请不要使用 Amazon SAM CLI 安装程序。通过在 aws-sam-cli GitHub 存储库中创建问题
来上报给 Amazon SAM 团队。 -
验证签署人公钥的签名:
$
gpg --check-sigs
pub 4096R/FE0ADDFA 2023-05-23 [expires: 2025-05-22] uid AWS SAM CLI Team <aws-sam-cli-signer@amazon.com> sig!3 FE0ADDFA 2023-05-23 AWS SAM CLI Team <aws-sam-cli-signer@amazon.com> sig! 73AD885A 2023-05-24 AWS SAM CLI Primary <aws-sam-cli-primary@amazon.com>FE0ADDFA
如果看到
1 signature not checked due to a missing key
,请重复前面的步骤,将主公钥和签署人公钥导入到密钥环中。您应该会看到列出的主公钥和签署人公钥的密钥值。
现在,您已经验证了签署人公钥的完整性,您可以使用签署人公钥来验证 Amazon SAM CLI 软件包安装程序。
验证 Amazon SAM CLI 软件包安装程序的完整性
-
获取 Amazon SAM CLI 软件包签名文件 - 使用以下命令下载 Amazon SAM CLI 软件包安装程序的签名文件:
$
wget https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-x86_64.zip.sig
-
验证签名文件 – 将两个下载
.sig
和.zip
文件作为参数传递给gpg
命令。以下是示例:$
gpg --verify
aws-sam-cli-linux-x86_64.zip.sig aws-sam-cli-linux-x86_64.zip
该输出值应该类似于以下内容:
gpg: Signature made Tue 30 May 2023 10:03:57 AM UTC using RSA key ID FE0ADDFA gpg: Good signature from "AWS SAM CLI Team <aws-sam-cli-signer@amazon.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 37D8 BE16 0355 2DA7 BD6A 04D8 C7A0 5F43 FE0A DDFA
消息
Good signature from "AWS SAM CLI Team <aws-sam-cli-signer@amazon.com>"
表示签名已通过验证,您可以继续安装。
macOS
GUI 和命令行安装程序
您可以使用 pkgutil
工具或手动验证 Amazon SAM CLI 软件包安装程序签名文件的完整性。
使用 pkgutil 进行验证
-
运行以下命令,提供下载的安装程序在本地计算机上的路径:
$
pkgutil --check-signature
/path/to/aws-sam-cli-installer.pkg
以下是示例:
$
pkgutil --check-signature
/Users/user/Downloads/aws-sam-cli-macos-arm64.pkg
-
从输出中找到 Developer ID Installer: AMZN Mobile LLC 的 SHA256 fingerprint。以下是示例:
Package "aws-sam-cli-macos-arm64.pkg": Status: signed by a developer certificate issued by Apple for distribution Notarization: trusted by the Apple notary service Signed with a trusted timestamp on: 2023-05-16 20:29:29 +0000 Certificate Chain: 1. Developer ID Installer: AMZN Mobile LLC (94KV3E626L) Expires: 2027-06-28 22:57:06 +0000 SHA256 Fingerprint: 49 68 39 4A BA 83 3B F0 CC 5E 98 3B E7 C1 72 AC 85 97 65 18 B9 4C BA 34 62 BF E9 23 76 98 C5 DA ------------------------------------------------------------------------ 2. Developer ID Certification Authority Expires: 2031-09-17 00:00:00 +0000 SHA256 Fingerprint: F1 6C D3 C5 4C 7F 83 CE A4 BF 1A 3E 6A 08 19 C8 AA A8 E4 A1 52 8F D1 44 71 5F 35 06 43 D2 DF 3A ------------------------------------------------------------------------ 3. Apple Root CA Expires: 2035-02-09 21:40:36 +0000 SHA256 Fingerprint: B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24
-
Developer ID Installer: AMZN Mobile LLC SHA256 fingerprint 应匹配以下值:
49 68 39 4A BA 83 3B F0 CC 5E 98 3B E7 C1 72 AC 85 97 65 18 B9 4C BA 34 62 BF E9 23 76 98 C5 DA
如果指纹字符串不匹配,请不要使用 Amazon SAM CLI 安装程序。通过在 aws-sam-cli GitHub 存储库中创建问题
来上报给 Amazon SAM 团队。如果指纹字符串匹配,您可以继续使用软件包安装程序。
手动验证软件包安装程序
-
请参阅 Apple 支持网站上的如何验证手动下载的 Apple 软件更新的真实性
。
Windows
对于 Windows 操作系统,Amazon SAM CLI 安装程序打包为 MSI 文件。
验证安装程序的完整性
-
右键单击安装程序,打开属性窗口。
-
选择数字签名选项卡。
-
在签名列表中,选择 Amazon Web Services, Inc.,然后选择详细信息。
-
选择常规选项卡 (如果尚未选择),然后选择查看证书。
-
选择详细信息选项卡,然后选择显示下拉列表中的全部 (如果尚未选择)。
-
向下滚动直至您看到指纹字段,然后选择指纹。这将在下部窗口中显示整个指纹值。
-
将指纹值与以下值进行匹配。如果值匹配,就继续安装。如果不匹配,请通过在 aws-sam-cli GitHub 存储库中创建问题
来上报给 Amazon SAM 团队。 d52eb68bffe6ae165b3b05c3e1f9cc66da7eeac0
验证哈希值
Linux
x86_64 - 命令行安装程序
使用以下命令生成哈希值,验证下载的安装程序文件的完整性和真实性:
$
sha256sum aws-sam-cli-linux-x86_64.zip
输出应与以下示例类似:
<64-character SHA256 hash value>
aws-sam-cli-linux-x86_64.zip
将包含 64 个字符的 SHA-256 哈希值与您所需的 Amazon SAM CLI 版本在 GitHub 上的Amazon SAM CLI 发布说明
macOS
GUI 和命令行安装程序
使用以下命令生成哈希值,验证下载的安装程序的完整性和真实性:
$
shasum -a 256
# Examplespath-to-pkg-installer
/name-of-pkg-installer
$
shasum -a 256
~/Downloads/
aws-sam-cli-macos-arm64.pkg$
shasum -a 256
~/Downloads/
aws-sam-cli-macos-x86_64.pkg
将包含 64 个字符的 SHA-256 哈希值与 GitHub 存储库上的 Amazon SAM CLI 发布说明