验证签名SSM Agent - Amazon Systems Manager
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

验证签名SSM Agent

这些区域有:Amazon Systems Manager客服 (SSM Agent) 用于 Linux 实例的 deb 和 rpm 安装程序包是以加密方式签名的。您可以使用公有密钥验证该代理程序包是否为原始的而未进行修改。如果文件有任何损坏或更改,验证失败。您可以使用 RPM 或 GPG 验证安装程序包的签名。

要查找实例架构和操作系统的正确签名文件,请参阅下表。

区域表示 Amazon Web Services 区域 支持Amazon Systems Manager之外的压缩算法(例如us-east-2对于美国东部(俄亥俄)区域,请指定。有关受支持的区域值,请参阅区域column.Systems Manager 服务终端节点中的Amazon Web Services 一般参考.

架构 操作系统 签名文件 URL 代理下载文件名
Intel 64-bit (x86_64)

Amazon Linux、Amazon Linux 2、CentOS、RHEL, Oracle Linux,SLES

https://s3.region.amazonaws.com/amazon-ssm-region/latest/linux_amd64/amazon-ssm-agent.rpm.sig

https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm.sig

amazon-ssm-agent.rpm
Intel 64-bit (x86_64)

Debian 服务器,Ubuntu 服务器

https://s3.region.amazonaws.com/amazon-ssm-region/latest/debian_amd64/amazon-ssm-agent.deb.sig

https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb.sig

 amazon-ssm-agent.deb
Intel 32-bit (x86)

Amazon Linux、Amazon Linux 2、CentOS、RHEL

https://s3.region.amazonaws.com/amazon-ssm-region/latest/linux_386/amazon-ssm-agent.rpm.sig

https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_386/amazon-ssm-agent.rpm.sig

amazon-ssm-agent.rpm
Intel 32-bit (x86)

Ubuntu Server

https://s3.region.amazonaws.com/amazon-ssm-region/latest/debian_386/amazon-ssm-agent.deb.sig

https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_386/amazon-ssm-agent.deb.sig

amazon-ssm-agent.deb
ARM 64-bit (arm64)

Amazon Linux、Amazon Linux 2、CentOS、RHEL

https://s3.region.amazonaws.com/amazon-ssm-region/latest/linux_arm64/amazon-ssm-agent.rpm.sig

https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_arm64/amazon-ssm-agent.rpm.sig

 amazon-ssm-agent.rpm
GPG

验证 Linux 服务器上的 SSM Agent 软件包

  1. 复制以下公钥并将其保存到名为的文件amazon-ssm-agent.gpg. 

    -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

mQENBF98p2YBCADgfK6NJS/1UFMEBq+DbHrLGCPR7uabN7KByIWJ6X0gGqxad0y7
kP+M2YhWVlteeytpJgEEzKFIXkv7vZdRIjCrgIiNISdvDyYOTNQ2n5Ck5XPnJTQg
n5HIRccvc+Lwdidl8auiCYteDCDCGM5EPb7vUrbrg+y4RkXeBNErzo7rbVnWW4QC
z8x6EVLb24w/AONHLxywwunagorWiVBP6snrBoz2d2wQYAfpPmPsoLRAURiMnubG
bDOM9hb5bGi2OY92L9fVChVRGJnxMNYPCQWFyUovRis9fKnmP1LopUmlNSmSqUj1
AD7WRDMGn2Ruf+HYEZuY+pDD/C2ejcJtjDJTABEBAAG0J1NTTSBBZ2VudCA8c3Nt
LWFnZW50LXNpZ25lckBhbWF6b24uY29tPokBPwQTAQIAKQUCX3ynZgIbLwUJAsaY
gAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEFT09W5pPsohHGQIALMvf8oq
wEU5gph5SlrjYTIqZqsvyV8RKsUEFin5EDkeLC5ALpsby6rAWnobCy2Ce1p4buS+
sA/PFKkraVWtpmqOOkCZoBJTWZyR3KtY7y2pTUWl7aaj20NEO/nPI1VH/E47iH7m
scYAOxbNOcEbRiip7AdXZXK7nKda51q/b6G92fM86pl8VPBAh6ijMNmEEZxIAWH2
AGY7Y9imwnp+UpUUwsJb3/L0asqMecPrYJLGWke6EYGPuDfxYb1+YOuZOY/mjDJJ
z6f7G2nCuDMniabydk3269eLRPuRHUq4P5Sv+I/zdJI4B8lOJfJRpy/mwGwAU74l
s7csneMjUO2zIzaJAhwEEAECAAYFAl98p2YACgkQfdCXo9rX9fzFHw//akOS57o3
lyQySKmbEpAhDrEcg4NGqidlp3NjqkxKmmK5GMwC+wJS+hmwuBiMH1knSaxc/0ie
XmtxHsmDn8JmREypkfUS+vAONlmsuFJUjXipa5cAP4YjPMTW7HNxC/WrLV6NSuQZ
5nweVeXAQPxjOoNaAOOk1hlUuGdypPxCNV6NYLm5W7jz1buDYOhNwPvVP63wy1BK
ME4HzE94ggCxnXdafJU2KR11Mj/9LRFeDJ8X8huSKOFNOy2IotuW5VmxlDvbkvDT
ceelqWJjh5CsWKmWActoxqtyiedQqxgsxFuwqVIWxP758C3NP1zpxvr8SXxdJBy3
8U4iHC3I89zlX4x4tPiMn3vQOq+RhnZEzEphrmPkQAaq6H160hHxQz44DoM8jDIn
f/EbWKPkw+p5679JUrXIZDOYP2OlbKoAY4axfCwvjIqAQ5KWFQyKmWyoRwTl4IrC
bAXqljtqzyF20g2puNpxpvxT8CF+YaKYPKqXAbZkBQoOoPBbEGGG19BX5rCBehTx
QwBAgmmk7FG162TY2uivbwjmguh4DM4PgEoHtsgg9UVM+A+M5tIuEeTC5jWgzEcf
VkwTY6N+3XNvAnYNobND8mvN+QAJG7NpryX1fNBaxGsze3QBL42v/zFmG6VSfINp
4H01UHp8Pmidk8axmi+w6hoqB+uDo3lgd6U=
=c8Y2
-----END PGP PUBLIC KEY BLOCK-----

  2. 将公有密钥导入到您的密钥环中,并记下返回的密钥值。

    gpg --import amazon-ssm-agent.gpg

  3. 验证指纹。请务必将替换为键值使用上一步中的值。我们建议您使用 GPG 验证指纹,即使您使用 RPM 验证安装程序包。 

    gpg --fingerprint key-value

    此命令会返回类似以下内容的输出:

    pub   2048R/693ECA21 2020-10-06 [expires: 2022-03-29]
   Key fingerprint = 8108 A07A 9EBE 248E 3F1C  63F2 54F4 F56E 693E CA21
uid                  SSM Agent <ssm-agent-signer@amazon.com>

    指纹应与以下内容匹配。

    8108 A07A 9EBE 248E 3F1C 63F2 54F4 F56E 693E CA21

    如果指纹不匹配,请不要安装该代理。联系 Amazon Web Services Support。

  4. 根据实例的架构和操作系统下载签名文件(如果您尚未执行此操作)。

  5. 验证安装程序包签名。请务必将替换为签名文件代理下载文件名替换为您在下载签名文件和代理时指定的值。 

    gpg --verify signature-filename agent-download-filename

    此命令会返回类似以下内容的输出:

    gpg: Signature made Wed 07 Oct 2020 05:52:47 PM UTC using RSA key ID 693ECA21
gpg: Good signature from "SSM Agent <ssm-agent-signer@amazon.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8108 A07A 9EBE 248E 3F1C 63F2 54F4 F56E 693E CA21

    如果输出包含短语 BAD signature,则检查是否正确执行了此过程。如果您继续获得该响应,请与联系Amazon Web Services Support并且不安装该代理。有关信任的警告消息并不意味着签名无效,只是您尚未验证公有密钥而已。只有当您或您信任的某个人对密钥进行了签名,密钥才是可信的。

RPM

验证 Linux 服务器上的 SSM Agent 软件包

  1. 复制以下公钥并将其保存到名为的文件amazon-ssm-agent.gpg. 

    -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

mQENBF98p2YBCADgfK6NJS/1UFMEBq+DbHrLGCPR7uabN7KByIWJ6X0gGqxad0y7
kP+M2YhWVlteeytpJgEEzKFIXkv7vZdRIjCrgIiNISdvDyYOTNQ2n5Ck5XPnJTQg
n5HIRccvc+Lwdidl8auiCYteDCDCGM5EPb7vUrbrg+y4RkXeBNErzo7rbVnWW4QC
z8x6EVLb24w/AONHLxywwunagorWiVBP6snrBoz2d2wQYAfpPmPsoLRAURiMnubG
bDOM9hb5bGi2OY92L9fVChVRGJnxMNYPCQWFyUovRis9fKnmP1LopUmlNSmSqUj1
AD7WRDMGn2Ruf+HYEZuY+pDD/C2ejcJtjDJTABEBAAG0J1NTTSBBZ2VudCA8c3Nt
LWFnZW50LXNpZ25lckBhbWF6b24uY29tPokBPwQTAQIAKQUCX3ynZgIbLwUJAsaY
gAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEFT09W5pPsohHGQIALMvf8oq
wEU5gph5SlrjYTIqZqsvyV8RKsUEFin5EDkeLC5ALpsby6rAWnobCy2Ce1p4buS+
sA/PFKkraVWtpmqOOkCZoBJTWZyR3KtY7y2pTUWl7aaj20NEO/nPI1VH/E47iH7m
scYAOxbNOcEbRiip7AdXZXK7nKda51q/b6G92fM86pl8VPBAh6ijMNmEEZxIAWH2
AGY7Y9imwnp+UpUUwsJb3/L0asqMecPrYJLGWke6EYGPuDfxYb1+YOuZOY/mjDJJ
z6f7G2nCuDMniabydk3269eLRPuRHUq4P5Sv+I/zdJI4B8lOJfJRpy/mwGwAU74l
s7csneMjUO2zIzaJAhwEEAECAAYFAl98p2YACgkQfdCXo9rX9fzFHw//akOS57o3
lyQySKmbEpAhDrEcg4NGqidlp3NjqkxKmmK5GMwC+wJS+hmwuBiMH1knSaxc/0ie
XmtxHsmDn8JmREypkfUS+vAONlmsuFJUjXipa5cAP4YjPMTW7HNxC/WrLV6NSuQZ
5nweVeXAQPxjOoNaAOOk1hlUuGdypPxCNV6NYLm5W7jz1buDYOhNwPvVP63wy1BK
ME4HzE94ggCxnXdafJU2KR11Mj/9LRFeDJ8X8huSKOFNOy2IotuW5VmxlDvbkvDT
ceelqWJjh5CsWKmWActoxqtyiedQqxgsxFuwqVIWxP758C3NP1zpxvr8SXxdJBy3
8U4iHC3I89zlX4x4tPiMn3vQOq+RhnZEzEphrmPkQAaq6H160hHxQz44DoM8jDIn
f/EbWKPkw+p5679JUrXIZDOYP2OlbKoAY4axfCwvjIqAQ5KWFQyKmWyoRwTl4IrC
bAXqljtqzyF20g2puNpxpvxT8CF+YaKYPKqXAbZkBQoOoPBbEGGG19BX5rCBehTx
QwBAgmmk7FG162TY2uivbwjmguh4DM4PgEoHtsgg9UVM+A+M5tIuEeTC5jWgzEcf
VkwTY6N+3XNvAnYNobND8mvN+QAJG7NpryX1fNBaxGsze3QBL42v/zFmG6VSfINp
4H01UHp8Pmidk8axmi+w6hoqB+uDo3lgd6U=
=c8Y2
-----END PGP PUBLIC KEY BLOCK-----

  2. 将公有密钥导入到您的密钥环中,并记下返回的密钥值。

    rpm --import amazon-ssm-agent.gpg

  3. 验证指纹。请务必将替换为键值使用上一步中的值。我们建议您使用 GPG 验证指纹,即使您使用 RPM 验证安装程序包。 

    gpg --fingerprint key-value

    此命令会返回类似以下内容的输出:

    pub   2048R/693ECA21 2020-10-06 [expires: 2022-03-29]
   Key fingerprint = 8108 A07A 9EBE 248E 3F1C  63F2 54F4 F56E 693E CA21
uid                  SSM Agent <ssm-agent-signer@amazon.com>

    指纹应与以下内容匹配。

    8108 A07A 9EBE 248E 3F1C 63F2 54F4 F56E 693E CA21

    如果指纹不匹配,请不要安装该代理。联系 Amazon Web Services Support。

  4. 验证安装程序包签名。请务必将替换为签名文件代理下载文件名替换为您在下载签名文件和代理时指定的值。 

    rpm --checksig agent-download-filename

    此命令会返回类似以下内容的输出:

    amazon-ssm-agent-2.3.1319.0-1.amzn2.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

    如果pgp在输出中丢失,并且您已导入公钥,则代理不会签名。如果输出包含短语NOT OK (MISSING KEYS: (MD5) key-id)下,检查是否正确执行了此过程。如果您继续获得该响应,请与联系Amazon Web Services Support并且不安装该代理。