-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use gpg check for exec ssm agent #146
Conversation
fbd09ea
to
caf4ce2
Compare
caf4ce2
to
676f408
Compare
676f408
to
23838f7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Important -- the shasums are used beyond just the validation here in this file.
case $ARCHITECTURE in | ||
'x86_64') | ||
curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.amazonaws.com${host_suffix}/${EXEC_SSM_VERSION}/linux_amd64/amazon-ssm-agent-binaries.tar.gz" -o amazon-ssm-agent.tar.gz | ||
echo "94be5ddec82d67d2f799d2fd1c8ab3f597e5d166b9750891a135d3093e15aa24 ./amazon-ssm-agent.tar.gz" >./amazon-ssm-agent.tar.gz.sha256 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we still need these shasums -- ecs-agent uses these to be sure the tar hasn't been tampered with.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are probably not using it? I see the following files being copied to binary path - https://github.com/aws/amazon-ecs-ami/blob/main/scripts/install-exec-dependencies.sh#L35-L37
@@ -0,0 +1,62 @@ | |||
-----BEGIN PGP PUBLIC KEY BLOCK----- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Q. Would it be easier for us to maintain only one gpg file in the amazon-ecs-agent repo?
The pro I can think of is, only one file needs to be updated whenever SSM team rotated the key.
The con I can think of is, this will couple ECS Agent and ECS optimized AMI release together.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we should. Open source the AMI repo helps people build AMI themselves and coupling these two definitely limits the flexibility.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with @Realmonia , having the 2 repos independent and flexible can be better here, as the 2 SSM agents in the different repos can be different, and the agent in amazon-ecs-ami repo is fixed by version. There is less need to introduce dependency this way.
Summary
This PR replaces the
sha256
verification for the exec ssm agent in ECS Optimized AMI creation recipes with a more secure gpg check. It addsal2023.pkr.hcl
to replacegnupg2-minimal
withgnupg2-full
to enable installing gpg keys. Base al2023 AMIs come withgnupg2-minimal
installedscripts/install-exec-dependencies.sh
to replace sha256 with gpg checkTesting
New tests cover the changes: No new tests added
Description for the changelog
Use gpg check for exec ssm agent
Licensing
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.