Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use gpg check for exec ssm agent #146

Merged
merged 1 commit into from
Sep 19, 2023
Merged

Conversation

prateekchaudhry
Copy link
Contributor

@prateekchaudhry prateekchaudhry commented Sep 18, 2023

Summary

This PR replaces the sha256 verification for the exec ssm agent in ECS Optimized AMI creation recipes with a more secure gpg check. It adds

  • A file which contains the public key for the SSM Agent being used. It contains 2 public keys - one key of the SSM Agent version being used and the latest public key (https://docs.aws.amazon.com/systems-manager/latest/userguide/verify-agent-signature.html)
  • Changes in AL1, AL2, AL2023 base recipes to export the public key file to AMI build instance for verification
  • Changes in al2023.pkr.hcl to replace gnupg2-minimal with gnupg2-full to enable installing gpg keys. Base al2023 AMIs come with gnupg2-minimal installed
  • Changes in scripts/install-exec-dependencies.sh to replace sha256 with gpg check

Testing

  • Verified SSM Agent is being properly verified by creating ECS Optimized AMIs with the changes -
==> amazon-ebs.al2: gpg: key 56BAA549: public key "SSM Agent <[email protected]>" imported
==> amazon-ebs.al2: gpg: key 97DD04ED: public key "SSM Agent <[email protected]>" imported
==> amazon-ebs.al2: gpg: Total number processed: 2
==> amazon-ebs.al2: gpg:               imported: 2  (RSA: 2)
==> amazon-ebs.al2: gpg: no ultimately trusted keys found
==> amazon-ebs.al2: + case $ARCHITECTURE in
==> amazon-ebs.al2: + curl -fLSs https://amazon-ssm-us-west-2.s3.us-west-2.amazonaws.com/3.2.1478.0/linux_amd64/amazon-ssm-agent-binaries.tar.gz -o amazon-ssm-agent.tar.gz
==> amazon-ebs.al2: + curl -fLSs https://amazon-ssm-us-west-2.s3.us-west-2.amazonaws.com/3.2.1478.0/linux_amd64/amazon-ssm-agent-binaries.tar.gz.sig -o amazon-ssm-agent.tar.gz.si
g
==> amazon-ebs.al2: + gpg --verify amazon-ssm-agent.tar.gz.sig amazon-ssm-agent.tar.gz
==> amazon-ebs.al2: gpg: Signature made Wed 09 Aug 2023 06:35:21 PM UTC using RSA key ID 56BAA549
==> amazon-ebs.al2: gpg: Good signature from "SSM Agent <[email protected]>"
==> amazon-ebs.al2023: + gpg --import /tmp/amazon-ssm-agent.gpg
==> amazon-ebs.al2023: gpg: key DD81A61756BAA549: 1 signature not checked due to a missing key
==> amazon-ebs.al2023: gpg: key DD81A61756BAA549: public key "SSM Agent <[email protected]>" imported
==> amazon-ebs.al2023: gpg: key BC1F495C97DD04ED: 1 signature not checked due to a missing key
==> amazon-ebs.al2023: gpg: key BC1F495C97DD04ED: public key "SSM Agent <[email protected]>" imported
==> amazon-ebs.al2023: gpg: Total number processed: 2
==> amazon-ebs.al2023: gpg:               imported: 2
==> amazon-ebs.al2023: gpg: no ultimately trusted keys found
==> amazon-ebs.al2023: + case $ARCHITECTURE in
==> amazon-ebs.al2023: + curl -fLSs https://amazon-ssm-us-west-2.s3.us-west-2.amazonaws.com/3.2.1478.0/linux_amd64/amazon-ssm-agent-binaries.tar.gz -o amazon-ssm-agent.tar.gz
==> amazon-ebs.al2023: + curl -fLSs https://amazon-ssm-us-west-2.s3.us-west-2.amazonaws.com/3.2.1478.0/linux_amd64/amazon-ssm-agent-binaries.tar.gz.sig -o amazon-ssm-agent.tar.gz
.sig
==> amazon-ebs.al2023: + gpg --verify amazon-ssm-agent.tar.gz.sig amazon-ssm-agent.tar.gz
==> amazon-ebs.al2023: gpg: Signature made Wed Aug  9 18:35:21 2023 UTC
==> amazon-ebs.al2023: gpg:                using RSA key DD81A61756BAA549
==> amazon-ebs.al2023: gpg: Good signature from "SSM Agent <[email protected]>" [expired]
==> amazon-ebs.al2gpu: + gpg --import /tmp/amazon-ssm-agent.gpg
==> amazon-ebs.al2gpu: gpg: key 56BAA549: public key "SSM Agent <[email protected]>" imported
==> amazon-ebs.al2gpu: gpg: key 97DD04ED: public key "SSM Agent <[email protected]>" imported
==> amazon-ebs.al2gpu: gpg: Total number processed: 2
==> amazon-ebs.al2gpu: gpg:               imported: 2  (RSA: 2)
==> amazon-ebs.al2gpu: gpg: no ultimately trusted keys found
==> amazon-ebs.al2gpu: + case $ARCHITECTURE in
==> amazon-ebs.al2gpu: + curl -fLSs https://amazon-ssm-us-west-2.s3.us-west-2.amazonaws.com/3.2.1478.0/linux_amd64/amazon-ssm-agent-binaries.tar.gz -o amazon-ssm-agent.tar.gz
==> amazon-ebs.al2gpu: + curl -fLSs https://amazon-ssm-us-west-2.s3.us-west-2.amazonaws.com/3.2.1478.0/linux_amd64/amazon-ssm-agent-binaries.tar.gz.sig -o amazon-ssm-agent.tar.gz
.sig
==> amazon-ebs.al2gpu: + gpg --verify amazon-ssm-agent.tar.gz.sig amazon-ssm-agent.tar.gz
==> amazon-ebs.al2gpu: gpg: Signature made Wed 09 Aug 2023 06:35:21 PM UTC using RSA key ID 56BAA549
==> amazon-ebs.al2gpu: gpg: Good signature from "SSM Agent <[email protected]>"

  • Run functional set suite against the AMIs created and verify exec tests succeed

New tests cover the changes: No new tests added

Description for the changelog

Use gpg check for exec ssm agent

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@prateekchaudhry prateekchaudhry changed the title [WIP] Use gpg check for exec ssm agent Use gpg check for exec ssm agent Sep 19, 2023
Copy link
Member

@fierlion fierlion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important -- the shasums are used beyond just the validation here in this file.

case $ARCHITECTURE in
'x86_64')
curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.amazonaws.com${host_suffix}/${EXEC_SSM_VERSION}/linux_amd64/amazon-ssm-agent-binaries.tar.gz" -o amazon-ssm-agent.tar.gz
echo "94be5ddec82d67d2f799d2fd1c8ab3f597e5d166b9750891a135d3093e15aa24 ./amazon-ssm-agent.tar.gz" >./amazon-ssm-agent.tar.gz.sha256
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we still need these shasums -- ecs-agent uses these to be sure the tar hasn't been tampered with.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are probably not using it? I see the following files being copied to binary path - https://github.com/aws/amazon-ecs-ami/blob/main/scripts/install-exec-dependencies.sh#L35-L37

@@ -0,0 +1,62 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q. Would it be easier for us to maintain only one gpg file in the amazon-ecs-agent repo?

The pro I can think of is, only one file needs to be updated whenever SSM team rotated the key.
The con I can think of is, this will couple ECS Agent and ECS optimized AMI release together.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should. Open source the AMI repo helps people build AMI themselves and coupling these two definitely limits the flexibility.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @Realmonia , having the 2 repos independent and flexible can be better here, as the 2 SSM agents in the different repos can be different, and the agent in amazon-ecs-ami repo is fixed by version. There is less need to introduce dependency this way.

@prateekchaudhry prateekchaudhry merged commit 30594d8 into aws:main Sep 19, 2023
2 checks passed
@prateekchaudhry prateekchaudhry mentioned this pull request Sep 29, 2023
rwarren25 pushed a commit to rwarren25/amazon-ecs-ami that referenced this pull request Jul 9, 2024
rwarren25 pushed a commit to rwarren25/amazon-ecs-ami that referenced this pull request Jul 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants