Verify AppDynamics Software Downloads with PGP

Beginning with the AppDynamics Pro 4.3.3, AppDynamics uses PGP to sign the following agent packages:

• Java Agent
• Machine Agent
• Python Agent pip package
• Machine Agent rpm package 

The AppDynamics PGP public key is hosted on https://pgp.mit.edu under the User ID "help@appdynamics.com":

  https://pgp.mit.edu/pks/lookup?search=help%40appdynamics.com&op=index 

This tutorial walks you through using AppDynamics' public key to validate your software downloads. It is not meant as a security recommendation. Be sure to follow the security standards for your organization when you validate software downloads.

Validate with Gnu Privacy Guard 

You can use Gnu Privacy Guard (GPG) to validate downloads against the AppDynamics public key. This example uses GPG for Mac. It assumes that you understand how to download GPG and run GPG commands on your operating system.

1. Install AppDynamics public key:
   

   gpg  --keyserver pgp.mit.edu --recv-key 0x23eacb9fb2925351​

   
   GPG imports the AppDynamics public key to the default keyring. You can run the following command to see installed keys:
   

   gpg -k

   
   The list of keys includes the AppDynamics key:
   pub   1024D/B2925351 2015-05-29
uid   [ unknown] AppDynamics Inc (maven) <help@appdynamics.com>
sub   2048g/DC436253 2015-05-29
   
   

2.  PGP uses a web of trust to ensure the validity of a signature. For the sake of the tutorial, trust the AppDynamics key ultimately:
   

   gpg --edit-key help@appdynamics.com trust

   • Enter 5 for “I trust ultimately” for the trust level.
   • Answer “y”  to set the key to ultimate trust.
     
     See the PGP documentation for more information on the web of trust. https://www.gnupg.org/gph/en/manual/x334.html
     
     
3. Quit GPG.
   
4. If the distribution package is a zip file, unzip the files. See package installation instructions for more information.
   
5. Validate the signature file (.asc) included in the download package.
   
   For example, if you have unzipped any of the following Agents: 
   Java Agent:
   

   gpg --verify /usr/local/appdynamics/appagent/ver4.3.3.0/javaagent.jar.asc /usr/local/appdynamics/appagent/ver4.3.3.0/javaagent.jar

   
   Machine Agent:

   gpg --verify /usr/local/appdynamics/machineagent/machineagent.jar.asc /usr/local/appdynamics/machineagent/machineagent.jar

   
   Python Agent:

   gpg --verify appdynamics-4.3.3.0-py2.py3-none-any.whl.asc appdynamics-4.3.3.0-py2.py3-none-any.whl

   
   Then GPG validates the signature:
   gpg: Signature made Tue Jun  6 17:55:46 2017 CDT using DSA key ID B2925351
gpg: Good signature from "AppDynamics Inc (maven) <help@appdynamics.com>" [ultimate]

Validate with RPM 

If you download the Machine Agent rpm package form the AppDynamics Download Center, you can use rpm to validate your download against AppDynamics public key.

1. Download the key. For the sake of the tutorial, you can copy the contents of the following URL to a file called "appd.sig":
   https://pgp.mit.edu/pks/lookup?op=get&search=0x23EACB9FB2925351
   
   
2. Import the key into your rpm database:
   

   rpm --import appd.sig

   
   You can run the following command to see a list of installed keys:
   

   rpm -qa gpg-pubkey\*

    

   The list of keys includes the AppDynamics key:
   gpg-pubkey-b2925351-5568d8d8 
   
   

3. Validate the Machine Agent package you downloaded as follows:
   

   rpm -K  appdynamics-machine-agent-4.3.3.0-1.x86_64.rpm ​

   
   rpm displays the validation information:
   appdynamics-machine-agent-4.3.3.0-1.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK