Knowledge Base

cancel
Showing results for 
Search instead for 
Did you mean: 

Verify AppDynamics Software Downloads with PGP

Beginning with the AppDynamics Pro 4.3.3, AppDynamics uses PGP to sign the following agent packages:

 

  • Java Agent
  • Machine Agent
  • Python Agent pip package
  • Machine Agent rpm package 

 

The AppDynamics PGP public key is hosted on https://pgp.mit.edu under the User ID "help@appdynamics.com":

 

  https://pgp.mit.edu/pks/lookup?search=help%40appdynamics.com&op=index 

 

This tutorial walks you through using AppDyamics public key to validate your software downloads. It is not meant as a security recommendation. Be sure to follow the security standards for your organization when you validate software downloads.

 

Validate with Gnu Privacy Guard 

You can use Gnu Privacy Guard (GPG) to validate downloads against the AppDynamics public key. This example uses GPG for Mac. It assumes that you understand how to download GPG and run GPG commands on your operating system.

 

1. Install AppDynamics public key:

 

gpg  --keyserver pgp.mit.edu --recv-key 0x23eacb9fb2925351

    GPG imports the AppDynamics public key to the default keyring. You can run the following command to see installed keys:

 

gpg -k

   The list of keys includes the AppDynamics key:

 

pub   1024D/B2925351 2015-05-29

uid       [ unknown] AppDynamics Inc (maven) <help@appdynamics.com>

sub   2048g/DC436253 2015-05-29

 

2. PGP uses a web of trust to ensure the validity of a signature. For the sake of the tutorial, trust the AppDynamics key ultimately:

 

 gpg --edit-key help@appdynamics.com trust 
  • Enter 5 for “I trust ultimately” for the trust level.
  • Answer “y”  to set the key to ultimate trust.

See the PGP documentation for more information on the web of trust. https://www.gnupg.org/gph/en/manual/x334.html

 

3. Quit GPG.

 

4. If the distribution package is a zip file, unzip the files. See package installation instructions for more information.

 

5. Validate the signature file (.asc) included in the download package.

 

For example, if you have unzipped the Java Agent:

 

gpg --verify /usr/local/appdynamics/appagent/ver4.3.3.0/javaagent.jar.asc /usr/local/appdynamics/appagent/ver4.3.3.0/javaagent.jar

 

Or for the Standalone Machine Agent:

 

gpg --verify /usr/local/appdynamics/machineagent/machineagent.jar.asc /usr/local/appdynamics/machineagent/machineagent.jar

 

 

Or for the Python Agent:

 

gpg --verify appdynamics-4.3.3.0-py2.py3-none-any.whl.asc appdynamics-4.3.3.0-py2.py3-none-any.whl

 

GPG validates the signature:

 

gpg: Signature made Tue Jun  6 17:55:46 2017 CDT using DSA key ID B2925351

gpg: Good signature from "AppDynamics Inc (maven) <help@appdynamics.com>" [ultimate]

Validate with RPM 

If you download the Standalone Machine Agent rpm package form the AppDynamics Download Center, you can use rpm to validate your download against AppDynamics public key.

 

1. Download the key. For the sake of the tutorial, you can copy the contents of the following URL to a file called "appd.sig":

https://pgp.mit.edu/pks/lookup?op=get&search=0x23EACB9FB2925351

 

2. Import the key into your rpm database:

 

rpm --import appd.sig

You can run the following command to see a list of installed keys:

 

rpm -qa gpg-pubkey\*

The list of keys includes the AppDynamics key:

 

gpg-pubkey-b2925351-5568d8d8 

 

3. Validate the Standalone Machine Agent package you downloaded as follows:

 

rpm -K  appdynamics-machine-agent-4.3.3.0-1.x86_64.rpm 

rpm displays the validatiton information:

 

appdynamics-machine-agent-4.3.3.0-1.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK

Version history
Revision #:
18 of 18
Last update:
3 weeks ago
Updated by:
 
Labels (1)
Tags (2)
0 Kudos