Use gpg check for exec ssm agent

[prateekchaudhry]

Summary

This PR replaces the sha256 verification for the exec ssm agent in ECS Optimized AMI creation recipes with a more secure gpg check. It adds

• A file which contains the public key for the SSM Agent being used. It contains 2 public keys - one key of the SSM Agent version being used and the latest public key (https://docs.aws.amazon.com/systems-manager/latest/userguide/verify-agent-signature.html)
• Changes in AL1, AL2, AL2023 base recipes to export the public key file to AMI build instance for verification
• Changes in al2023.pkr.hcl to replace gnupg2-minimal with gnupg2-full to enable installing gpg keys. Base al2023 AMIs come with gnupg2-minimal installed
• Changes in scripts/install-exec-dependencies.sh to replace sha256 with gpg check

Testing

• Verified SSM Agent is being properly verified by creating ECS Optimized AMIs with the changes -

==> amazon-ebs.al2: gpg: key 56BAA549: public key "SSM Agent <[email protected]>" imported
==> amazon-ebs.al2: gpg: key 97DD04ED: public key "SSM Agent <[email protected]>" imported
==> amazon-ebs.al2: gpg: Total number processed: 2
==> amazon-ebs.al2: gpg:               imported: 2  (RSA: 2)
==> amazon-ebs.al2: gpg: no ultimately trusted keys found
==> amazon-ebs.al2: + case $ARCHITECTURE in
==> amazon-ebs.al2: + curl -fLSs https://amazon-ssm-us-west-2.s3.us-west-2.amazonaws.com/3.2.1478.0/linux_amd64/amazon-ssm-agent-binaries.tar.gz -o amazon-ssm-agent.tar.gz
==> amazon-ebs.al2: + curl -fLSs https://amazon-ssm-us-west-2.s3.us-west-2.amazonaws.com/3.2.1478.0/linux_amd64/amazon-ssm-agent-binaries.tar.gz.sig -o amazon-ssm-agent.tar.gz.si
g
==> amazon-ebs.al2: + gpg --verify amazon-ssm-agent.tar.gz.sig amazon-ssm-agent.tar.gz
==> amazon-ebs.al2: gpg: Signature made Wed 09 Aug 2023 06:35:21 PM UTC using RSA key ID 56BAA549
==> amazon-ebs.al2: gpg: Good signature from "SSM Agent <[email protected]>"

==> amazon-ebs.al2023: + gpg --import /tmp/amazon-ssm-agent.gpg
==> amazon-ebs.al2023: gpg: key DD81A61756BAA549: 1 signature not checked due to a missing key
==> amazon-ebs.al2023: gpg: key DD81A61756BAA549: public key "SSM Agent <[email protected]>" imported
==> amazon-ebs.al2023: gpg: key BC1F495C97DD04ED: 1 signature not checked due to a missing key
==> amazon-ebs.al2023: gpg: key BC1F495C97DD04ED: public key "SSM Agent <[email protected]>" imported
==> amazon-ebs.al2023: gpg: Total number processed: 2
==> amazon-ebs.al2023: gpg:               imported: 2
==> amazon-ebs.al2023: gpg: no ultimately trusted keys found
==> amazon-ebs.al2023: + case $ARCHITECTURE in
==> amazon-ebs.al2023: + curl -fLSs https://amazon-ssm-us-west-2.s3.us-west-2.amazonaws.com/3.2.1478.0/linux_amd64/amazon-ssm-agent-binaries.tar.gz -o amazon-ssm-agent.tar.gz
==> amazon-ebs.al2023: + curl -fLSs https://amazon-ssm-us-west-2.s3.us-west-2.amazonaws.com/3.2.1478.0/linux_amd64/amazon-ssm-agent-binaries.tar.gz.sig -o amazon-ssm-agent.tar.gz
.sig
==> amazon-ebs.al2023: + gpg --verify amazon-ssm-agent.tar.gz.sig amazon-ssm-agent.tar.gz
==> amazon-ebs.al2023: gpg: Signature made Wed Aug  9 18:35:21 2023 UTC
==> amazon-ebs.al2023: gpg:                using RSA key DD81A61756BAA549
==> amazon-ebs.al2023: gpg: Good signature from "SSM Agent <[email protected]>" [expired]

==> amazon-ebs.al2gpu: + gpg --import /tmp/amazon-ssm-agent.gpg
==> amazon-ebs.al2gpu: gpg: key 56BAA549: public key "SSM Agent <[email protected]>" imported
==> amazon-ebs.al2gpu: gpg: key 97DD04ED: public key "SSM Agent <[email protected]>" imported
==> amazon-ebs.al2gpu: gpg: Total number processed: 2
==> amazon-ebs.al2gpu: gpg:               imported: 2  (RSA: 2)
==> amazon-ebs.al2gpu: gpg: no ultimately trusted keys found
==> amazon-ebs.al2gpu: + case $ARCHITECTURE in
==> amazon-ebs.al2gpu: + curl -fLSs https://amazon-ssm-us-west-2.s3.us-west-2.amazonaws.com/3.2.1478.0/linux_amd64/amazon-ssm-agent-binaries.tar.gz -o amazon-ssm-agent.tar.gz
==> amazon-ebs.al2gpu: + curl -fLSs https://amazon-ssm-us-west-2.s3.us-west-2.amazonaws.com/3.2.1478.0/linux_amd64/amazon-ssm-agent-binaries.tar.gz.sig -o amazon-ssm-agent.tar.gz
.sig
==> amazon-ebs.al2gpu: + gpg --verify amazon-ssm-agent.tar.gz.sig amazon-ssm-agent.tar.gz
==> amazon-ebs.al2gpu: gpg: Signature made Wed 09 Aug 2023 06:35:21 PM UTC using RSA key ID 56BAA549
==> amazon-ebs.al2gpu: gpg: Good signature from "SSM Agent <[email protected]>"

• Run functional set suite against the AMIs created and verify exec tests succeed

New tests cover the changes: No new tests added

Description for the changelog

Use gpg check for exec ssm agent

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[fierlion]

Important -- the shasums are used beyond just the validation here in this file.

[fierlion]

we still need these shasums -- ecs-agent uses these to be sure the tar hasn't been tampered with.

[prateekchaudhry]

We are probably not using it? I see the following files being copied to binary path - https://github.com/aws/amazon-ecs-ami/blob/main/scripts/install-exec-dependencies.sh#L35-L37

[chienhanlin]

Q. Would it be easier for us to maintain only one gpg file in the amazon-ecs-agent repo?

The pro I can think of is, only one file needs to be updated whenever SSM team rotated the key.
The con I can think of is, this will couple ECS Agent and ECS optimized AMI release together.

[Realmonia]

I don't think we should. Open source the AMI repo helps people build AMI themselves and coupling these two definitely limits the flexibility.

[prateekchaudhry]

I agree with @Realmonia , having the 2 repos independent and flexible can be better here, as the 2 SSM agents in the different repos can be different, and the agent in amazon-ecs-ami repo is fixed by version. There is less need to introduce dependency this way.