Beginning with the AppDynamics Pro 4.3.3, AppDynamics uses PGP to sign the following agent packages:
- Java Agent
- Machine Agent
- Python Agent pip package
- Machine Agent rpm package
The AppDynamics PGP public key is hosted on https://pgp.mit.edu under the User ID "help@appdynamics.com":
https://pgp.mit.edu/pks/lookup?search=help%40appdynamics.com&op=index
This tutorial walks you through using AppDyamics public key to validate your software downloads. It is not meant as a security recommendation. Be sure to follow the security standards for your organization when you validate software downloads.
Validate with Gnu Privacy Guard
You can use Gnu Privacy Guard (GPG) to validate downloads against the AppDynamics public key. This example uses GPG for Mac. It assumes that you understand how to download GPG and run GPG commands on your operating system.
1. Install AppDynamics public key:
gpg --keyserver pgp.mit.edu --recv-key 0x23eacb9fb2925351
GPG imports the AppDynamics public key to the default keyring. You can run the following command to see installed keys:
gpg -k
The list of keys includes the AppDynamics key:
pub 1024D/B2925351 2015-05-29
uid [ unknown] AppDynamics Inc (maven) <help@appdynamics.com>
sub 2048g/DC436253 2015-05-29
2. PGP uses a web of trust to ensure the validity of a signature. For the sake of the tutorial, trust the AppDynamics key ultimately:
gpg --edit-key help@appdynamics.com trust
- Enter 5 for “I trust ultimately” for the trust level.
- Answer “y” to set the key to ultimate trust.
See the PGP documentation for more information on the web of trust. https://www.gnupg.org/gph/en/manual/x334.html
3. Quit GPG.
4. If the distribution package is a zip file, unzip the files. See package installation instructions for more information.
5. Validate the signature file (.asc) included in the download package.
For example, if you have unzipped the Java Agent:
gpg --verify /usr/local/appdynamics/appagent/ver4.3.3.0/javaagent.jar.asc /usr/local/appdynamics/appagent/ver4.3.3.0/javaagent.jar
Or for the Standalone Machine Agent:
gpg --verify /usr/local/appdynamics/machineagent/machineagent.jar.asc /usr/local/appdynamics/machineagent/machineagent.jar
Or for the Python Agent:
gpg --verify appdynamics-4.3.3.0-py2.py3-none-any.whl.asc appdynamics-4.3.3.0-py2.py3-none-any.whl
GPG validates the signature:
gpg: Signature made Tue Jun 6 17:55:46 2017 CDT using DSA key ID B2925351
gpg: Good signature from "AppDynamics Inc (maven) <help@appdynamics.com>" [ultimate]
Validate with RPM
If you download the Standalone Machine Agent rpm package form the AppDynamics Download Center, you can use rpm to validate your download against AppDynamics public key.
1. Download the key. For the sake of the tutorial, you can copy the contents of the following URL to a file called "appd.sig":
https://pgp.mit.edu/pks/lookup?op=get&search=0x23EACB9FB2925351
2. Import the key into your rpm database:
rpm --import appd.sig
You can run the following command to see a list of installed keys:
rpm -qa gpg-pubkey\*
The list of keys includes the AppDynamics key:
gpg-pubkey-b2925351-5568d8d8
3. Validate the Standalone Machine Agent package you downloaded as follows:
rpm -K appdynamics-machine-agent-4.3.3.0-1.x86_64.rpm
rpm displays the validatiton information:
appdynamics-machine-agent-4.3.3.0-1.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK
