From 63daf3f145454c69663b1ec62c80a145b6e1f394 Mon Sep 17 00:00:00 2001
From: Prateek Chaudhry <prateek.chaudhry@gmail.com>
Date: Tue, 19 Sep 2023 15:04:34 -0700
Subject: [PATCH] use gpg check for exec ssm agent (#146)

---
 al1.pkr.hcl                          |  5 +++
 al2.pkr.hcl                          |  5 +++
 al2023.pkr.hcl                       | 11 ++++-
 files/amazon-ssm-agent.gpg           | 62 ++++++++++++++++++++++++++++
 scripts/install-exec-dependencies.sh | 11 +++--
 5 files changed, 88 insertions(+), 6 deletions(-)
 create mode 100644 files/amazon-ssm-agent.gpg

diff --git a/al1.pkr.hcl b/al1.pkr.hcl
index 33dd9a8..c3b12d9 100644
--- a/al1.pkr.hcl
+++ b/al1.pkr.hcl
@@ -99,6 +99,11 @@ build {
     script = "scripts/install-additional-packages.sh"
   }
 
+  provisioner "file" {
+    source      = "files/amazon-ssm-agent.gpg"
+    destination = "/tmp/amazon-ssm-agent.gpg"
+  }
+
   provisioner "shell" {
     script = "scripts/install-exec-dependencies.sh"
     environment_vars = [
diff --git a/al2.pkr.hcl b/al2.pkr.hcl
index 358fcaf..5c47e8b 100644
--- a/al2.pkr.hcl
+++ b/al2.pkr.hcl
@@ -140,6 +140,11 @@ build {
     script = "scripts/install-additional-packages.sh"
   }
 
+  provisioner "file" {
+    source      = "files/amazon-ssm-agent.gpg"
+    destination = "/tmp/amazon-ssm-agent.gpg"
+  }
+
   provisioner "shell" {
     script = "scripts/install-exec-dependencies.sh"
     environment_vars = [
diff --git a/al2023.pkr.hcl b/al2023.pkr.hcl
index c45048d..3dfb6cc 100644
--- a/al2023.pkr.hcl
+++ b/al2023.pkr.hcl
@@ -78,7 +78,8 @@ build {
   provisioner "shell" {
     inline_shebang = "/bin/sh -ex"
     inline = [
-      "sudo dnf install -y ${local.packages_al2023}"
+      "sudo dnf install -y ${local.packages_al2023}",
+      "sudo dnf swap -y gnupg2-minimal gnupg2-full"
     ]
   }
 
@@ -113,6 +114,12 @@ build {
   }
 
   ### exec
+
+  provisioner "file" {
+    source      = "files/amazon-ssm-agent.gpg"
+    destination = "/tmp/amazon-ssm-agent.gpg"
+  }
+
   provisioner "shell" {
     script = "scripts/install-exec-dependencies.sh"
     environment_vars = [
@@ -165,4 +172,4 @@ build {
     output     = "manifest.json"
     strip_path = true
   }
-}
\ No newline at end of file
+}
diff --git a/files/amazon-ssm-agent.gpg b/files/amazon-ssm-agent.gpg
new file mode 100644
index 0000000..e390035
--- /dev/null
+++ b/files/amazon-ssm-agent.gpg
@@ -0,0 +1,62 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+Comment: ssm-public-2022
+
+mQENBGIxF/8BCADv014neDCfkpdj79/XVeQVy0Wz9LSiB/iksc1jTPaCgD/9ojdQ
+10LfEFEyLoeTEhX5WBu0Ry7oKW9AK51kscMjTHwdFnzXsT4tAoSXxh7lbgdfhpVm
+bJ0bVArrzKIQ8JOE2lrn6LgVcGTtbPGURNNNRD1nZEgZm6wni+ZoplsXmsj0wD7f
+I5zhk/e+OyrsolpNWBJB0vf6JXVV2MauZKGlwRR4pZoSw5yPOa0rZDtOTtPbUX5C
+lWGLtdQ3848YvgjMzK9GeEqK9n6yQx5potlvxJ6TCZsZTwXXF5LyPuv2y6U22075
+JjMMX7noNnVnipKMj+l7x5fis+X+gafF/PbTABEBAAG0J1NTTSBBZ2VudCA8c3Nt
+LWFnZW50LXNpZ25lckBhbWF6b24uY29tPokBPwQTAQIAKQUCYjEX/wIbLwUJAsaY
+gAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEN2BphdWuqVJUKoIANHALkLq
+xsUco2JwymOorf+1icVtL8MSdi87lIhxfIGWaGN5CkzrkBAJlIyf/C+hVcLzR9rQ
+DWIJakLWE3XPb4g8fWyr5VlOoYbcGLCky0fL5O0pWEnF2ecQMMSpwkdv9zx7qUoo
+PssEpuwz5kIOYp2ENy21IPkMGpny8MCbzQ+sHysLWiJ/b0aWX9giPuMe5vTO3djM
+CPtyA5CeG3BMawPOaDQvjxB+DnWCg1HslgdzpZiSsusuZ8u3xKaehEMiB/Li2BO9
+yZMAeG6iok4Dn01ZVVpU9mftZKIm/T5WBX5x+TBhQ1b30MQcN61kFEe0Gll3ReTu
+CPEuDwAb4WruFkaJAhwEEAECAAYFAmIxGAAACgkQfdCXo9rX9fy5yQ/+PIBXWQc4
+D/a6/nEaGM/FrLDLgPSieBCbU4TpvB7qPg6gJUX8CA+h8cZ06wDgcdi9sJ3MwTnQ
+Ze1OzZ8AJroRP6XhwVeNEbeedBbmr7irSg8lIdyXZed0G0T+7SX/MDEyup16vRxW
+k2UyBCXYqnxBHXeTKf9GxH0nODpcGPGByqjfmSB3nj2wZN0g8SWWz6oEWcXv218B
+FJyJj7W2bQsbMXoHlILP28Ec5QN1r8cC1b1nQsmx4120XSKFWvi8trG2+dDb58LR
+1afsEW8OhJwsJcba1YIMznxMbWpfyZww2S6g7rFahm1wKCxMkHIZ+Fca6axKoK9Y
+KJaEPn9rbhh11XsgKBNIIP1h0eGmQTAvM01dWI9895fiaK3pQkCxV7in6dTxi8Jy
+7iJBbORStxsospBJzLf+0Ca3yvILxySg1Q2EuOKuN2VW7N/l3IffJ85DVjjQgh6A
+T4L6ViK/0L6ww5n8tboKB/Jz9OUDGf2idxhQe8WenIogAU3y4ZGUyzcZHMg9lRke
+hdLYGtqRATdWuwFQbwjPeBNovulqKOPXU9BLEezz8gMtd6/aW/UQA33xuZlh959o
+DHhGwWDXEJzhrIlFAljkb7rsIhhjrg/R2usSIi78i1jFkGsVqRET2/avn7/kBcgL
+yIk43DugjkN04nzHfULMJmEm02uVumgSJzQ=
+=rGEs
+-----END PGP PUBLIC KEY BLOCK-----
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQENBGTtIoIBCAD2M1aoGIE0FXynAHM/jtuvdAVVaX3Q4ZejTqrX+Jq8ElAMhxyO
+GzHu2CDtCYxtVxXK3unptLVt2kGgJwNbhYC393jDeZx5dCda4Nk2YXX1UK3P461i
+axuuXRzMYvfM4RZn+7bJTu635tA07q9Xm6MGD4TCTvsjBfViOxbrxOg5ozWbJdSw
+fSR8MwUrRfmFpAefRlYfCEuZ8FHywa9U6jLeWt2O/kqrZliJOAGjGzXtB7EZkqKb
+faCCxikjjvhF1awdEqSK4DQorC/OvQc4I5kP5y2CJbtXvXO73QH2yE75JMDIIx9x
+rOsIRUoSfK3UrWaOVuAnEEn5ueKzZNqGG1J1ABEBAAG0J1NTTSBBZ2VudCA8c3Nt
+LWFnZW50LXNpZ25lckBhbWF6b24uY29tPokBPwQTAQIAKQUCZO0iggIbLwUJAsaY
+gAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJELwfSVyX3QTt+icH/A//tJsW
+I+7Ay8FGJh8dJPNy++HIBjVSFdGNJFWNbw1Z8uZcazHEcUCH3FhW4CLQLTZ3OVPz
+qvFwzDtRDVIN/Y9EGDhLMFvimrE+/z4olWsJ5DANf6BnX8I5UNIcRt5d8SWH1BEJ
+2FWIBZFgKyTDI6XzRC5x4ahtgpOVAGeeKDehs+wh6Ga4W0/K4GsviP1Kyr+Ic2br
+NAIq0q0IHyN1q9zam3Y0+jKwEuNmTj+Bjyzshyv/X8S0JWWoXJhkexkOvWeBYNNt
+5wI4QcSteyfIzp6KlQF8q11Hzz9D9WaPfcBEYyhq7vLEARobkbQMBzpkmaZua241
+0RaWG50HRvrgm4aJAhwEEAECAAYFAmTtIoMACgkQfdCXo9rX9fwwqBAAzkTgYJ38
+sWgxpn7Ux/81F2BWR1sVkmP79i++fXyJlKI8xtcJFQZhzeUos69KBUCy7mgx5bYU
+P7NA5o9DUbwz/QS0i1Cqm4+jtFlX0MXe4FikXcqfDPnnzN8mVB2H+fa43iHR1PuH
+GgUWuNdxzSoIYRmLZXWmeN5YXPcmixlhLzcE2TOQn1mOKcu2fKdLtBQ8KiEkmjiu
+naoLxnUcyk1zMhaha+LzEkQdOyasix0ggylN2ViWVnlmfy0niuXDxW0qZWPdLStF
+OODiX3iqGmkH3rDfy6nvxxBR4GIs+MGD72fpWzzrINDgkGI2i2t1+0AX/mps3aTy
++ftlgrim8stYWB58XXDAb0vad06sNye5/zDzfr0I9HupJrTzFhaYJQjWPaSlINto
+LDJnBXohiUIPRYRcy/k012oFHDWZHT3H6CyjK9UD5UlxA9H7dsJurANs6FOVRe+7
+34uJyxDZ/W7zLG4AVG0zxibrUSoaJxwcOjVPVsQAlrwG/GTs7tcAccsJqbJ1Py/w
+9AgJl8VU2qc8POsHNXk348gjP7C8PDnGMpZFzr9f5INctRushpiv7onX+aWJVX7T
+n2uX/TP3LCyH/MsrNJrJOQnMYFRLQitciP0E+F+eA3v9CY6mDuyb8JSx5HuGGUsG
+S4bKBOcA8vimEpwPoT8CE7fdsZ3Qkwdu+pw=
+=zr5w
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/scripts/install-exec-dependencies.sh b/scripts/install-exec-dependencies.sh
index a0c8f32..42408d4 100644
--- a/scripts/install-exec-dependencies.sh
+++ b/scripts/install-exec-dependencies.sh
@@ -17,18 +17,21 @@ fi
 
 # Download ssm agent static binaries in BINARY_PATH
 mkdir -p /tmp/ssm-binaries && cd /tmp/ssm-binaries
+
+# Import ssm agent public key
+gpg --import /tmp/amazon-ssm-agent.gpg
+
 case $ARCHITECTURE in
 'x86_64')
     curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.amazonaws.com${host_suffix}/${EXEC_SSM_VERSION}/linux_amd64/amazon-ssm-agent-binaries.tar.gz" -o amazon-ssm-agent.tar.gz
-    echo "94be5ddec82d67d2f799d2fd1c8ab3f597e5d166b9750891a135d3093e15aa24 ./amazon-ssm-agent.tar.gz" >./amazon-ssm-agent.tar.gz.sha256
-    sha256sum -c ./amazon-ssm-agent.tar.gz.sha256
+    curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.amazonaws.com${host_suffix}/${EXEC_SSM_VERSION}/linux_amd64/amazon-ssm-agent-binaries.tar.gz.sig" -o amazon-ssm-agent.tar.gz.sig
     ;;
 'aarch64')
     curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.amazonaws.com${host_suffix}/${EXEC_SSM_VERSION}/linux_arm64/amazon-ssm-agent-binaries.tar.gz" -o amazon-ssm-agent.tar.gz
-    echo "f306be07eb4d82ef367af71de87a0aeb05097282731f361dbe782e29d3dcf660 ./amazon-ssm-agent.tar.gz" >./amazon-ssm-agent.tar.gz.sha256
-    sha256sum -c ./amazon-ssm-agent.tar.gz.sha256
+    curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.amazonaws.com${host_suffix}/${EXEC_SSM_VERSION}/linux_arm64/amazon-ssm-agent-binaries.tar.gz.sig" -o amazon-ssm-agent.tar.gz.sig
     ;;
 esac
+gpg --verify amazon-ssm-agent.tar.gz.sig amazon-ssm-agent.tar.gz
 
 sudo tar -xvf amazon-ssm-agent.tar.gz
 sudo mkdir -p "${BINARY_PATH}"