Verifying your download - Amazon Q Developer
macOSAppImage (Linux)Ubuntu/Debian (Linux)

Verifying your download

Before installing Amazon Q for command line and using its features, you can verify the download for macOS and Linux.

macOS

After you download Amazon Q for command line for macOS, you can verify its code signature using the following command:

codesign -v /Applications/Amazon\ Q.app

If there's no output, then the application's code signature is valid, and it has not been tampered with since it was signed.

For more verbose information about the app signature, use the following the command:

codesign -dv --verbose=4 /Applications/Amazon\ Q.app

To learn more about the macOS codesign utility, see the Code Signing Guide on the Apple developer website.

AppImage (Linux)

After you download Amazon Q for command line for AppImage, you can verify the download by using the GnuPG tool. The AppImage is cryptographically signed using a PGP signature that can be verified by using the GnuPG tool. If there's damage or alteration of the files, verification will fail and you shouldn't proceed with installation.

To verify the downloaded deb, complete the following steps:

  1. Import the Amazon Q command line PGP Public Key and verify the integrity of your downloaded zip file.

    1. Download and install the gpg command using your package manager. For more information about GnuPG, see the GnuPG documentation.

    2. To create the public key file, create a text file and paste in the following text.

      -----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZig60RYJKwYBBAHaRw8BAQdAy/+G05U5/EOA72WlcD4WkYn5SInri8pc4Z6D
BKNNGOm0JEFtYXpvbiBRIENMSSBUZWFtIDxxLWNsaUBhbWF6b24uY29tPoiZBBMW
CgBBFiEEmvYEF+gnQskUPgPsUNx6jcJMVmcFAmYoOtECGwMFCQPCZwAFCwkIBwIC
IgIGFQoJCAsCBBYCAwECHgcCF4AACgkQUNx6jcJMVmef5QD/QWWEGG/cOnbDnp68
SJXuFkwiNwlH2rPw9ZRIQMnfAS0A/0V6ZsGB4kOylBfc7CNfzRFGtovdBBgHqA6P
zQ/PNscGuDgEZig60RIKKwYBBAGXVQEFAQEHQC4qleONMBCq3+wJwbZSr0vbuRba
D1xr4wUPn4Avn4AnAwEIB4h+BBgWCgAmFiEEmvYEF+gnQskUPgPsUNx6jcJMVmcF
AmYoOtECGwwFCQPCZwAACgkQUNx6jcJMVmchMgEA6l3RveCM0YHAGQaSFMkguoAo
vK6FgOkDawgP0NPIP2oA/jIAO4gsAntuQgMOsPunEdDeji2t+AhV02+DQIsXZpoB
=f8yY
-----END PGP PUBLIC KEY BLOCK-----

    3. Import the Amazon Q command line public key with the following command, substituting public-key-file-name with the file name of the public key you created.

      gpg --import public-key-file-name
gpg: directory '/home/username/.gnupg' created
gpg: keybox '/home/username/.gnupg/pubring.kbx' created
gpg: /home/username/.gnupg/trustdb.gpg: trustdb created
gpg: key 50DC7A8DC24C5667: public key "Amazon Q command line Team <q-command line@amazon.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

  2. Download the Amazon Q command line signature file for the AppImage. It has the same path and name as the .appimage file it corresponds to but has the extension .sig. The following example shows how to save it to the current directory as a file named amazon-q.appimage.sig. For the latest version of the Amazon Q command line, use the following command:

    curl --proto '=https' --tlsv1.2 -sSf "https://desktop-release.q.us-east-1.amazonaws.com/latest/amazon-q.appimage.sig" -o "amazon-q.appimage.sig"

    For a specific version of the Amazon Q command line, you can replace ... /latest/ ... in the URL with the version number.

  3. Verify the signature, passing both the downloaded .sig and .appimage file names as parameters. Use the following GnuPG command:

    gpg --verify amazon-q.appimage.sig amazon-q.appimage

    The output should look similar to the following:

    gpg: Signature made Wed 24 Apr 2024 12:08:49 AM UTC
gpg:                using EDDSA key 9AF60417E82742C9143E03EC50DC7A8DC24C566
gpg: Good signature from "Amazon Q command line Team <q-command line@amazon.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9AF6 0417 E827 42C9 143E  03EC 50DC 7A8D C24C 5667

Ubuntu/Debian (Linux)

The deb file includes a PGP signature that can be verified by using the GnuPG tool. If there's damage or alteration of the files, verification will fail and you shouldn't proceed with installation.

To verify the downloaded deb, complete the following steps:

  1. Import the Amazon Q command line PGP Public Key and verify the integrity of your downloaded zip file.

    1. Download and install the gpg command using your package manager. For more information about GnuPG, see the https://gnupg.org/documentation/index.htmlGnuPG documentation.

    2. To create the public key file, create a text file and paste in the following text.

      -----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZig60RYJKwYBBAHaRw8BAQdAy/+G05U5/EOA72WlcD4WkYn5SInri8pc4Z6D
BKNNGOm0JEFtYXpvbiBRIENMSSBUZWFtIDxxLWNsaUBhbWF6b24uY29tPoiZBBMW
CgBBFiEEmvYEF+gnQskUPgPsUNx6jcJMVmcFAmYoOtECGwMFCQPCZwAFCwkIBwIC
IgIGFQoJCAsCBBYCAwECHgcCF4AACgkQUNx6jcJMVmef5QD/QWWEGG/cOnbDnp68
SJXuFkwiNwlH2rPw9ZRIQMnfAS0A/0V6ZsGB4kOylBfc7CNfzRFGtovdBBgHqA6P
zQ/PNscGuDgEZig60RIKKwYBBAGXVQEFAQEHQC4qleONMBCq3+wJwbZSr0vbuRba
D1xr4wUPn4Avn4AnAwEIB4h+BBgWCgAmFiEEmvYEF+gnQskUPgPsUNx6jcJMVmcF
AmYoOtECGwwFCQPCZwAACgkQUNx6jcJMVmchMgEA6l3RveCM0YHAGQaSFMkguoAo
vK6FgOkDawgP0NPIP2oA/jIAO4gsAntuQgMOsPunEdDeji2t+AhV02+DQIsXZpoB
=f8yY
-----END PGP PUBLIC KEY BLOCK-----

    3. Import the Amazon Q command line public key with the following command, substituting public-key-file-name with the file name of the public key you created.

      gpg --import public-key-file-name
gpg: directory '/home/username/.gnupg' created
gpg: keybox '/home/username/.gnupg/pubring.kbx' created
gpg: /home/username/.gnupg/trustdb.gpg: trustdb created
gpg: key 50DC7A8DC24C5667: public key "Amazon Q command line Team <q-command line@amazon.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

  2. Verify the downloaded file by using the GnuPG command:

    gpg --verify amazon-q.deb

    The output should look similar to the following:

    gpg: Signature made Wed 24 Apr 2024 12:08:49 AM UTC
gpg:                using EDDSA key 9AF60417E82742C9143E03EC50DC7A8DC24C566
gpg: Good signature from "Amazon Q command line Team <q-command line@amazon.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9AF6 0417 E827 42C9 143E  03EC 50DC 7A8D C24C 5667