View a markdown version of this page

可选:验证的完整性 AWS SAM CLI 安装程序 - AWS Serverless Application Model

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

可选:验证的完整性 AWS SAM CLI 安装程序

使用软件包安装程序安装 AWS Serverless Application Model 命令行界面 (AWS SAMCLI) 时,可以在安装前验证其完整性。此步骤是可选的,但我们强烈建议您执行此步骤。

可供您使用的两个验证选项是:

  • 验证软件包安装程序签名文件。

  • 验证软件包安装程序的哈希值。

如果可用于您的平台,我们建议您验证签名文件选项。此选项提供额外的安全层,因为密钥值在此处发布,并且与 GitHub 存储库分开管理。

验证安装程序包签名文件

Linux

arm64:命令行安装程序

AWS SAM 使用 GnuPG 对.zip 安装程序进行签名 AWS SAMCLI。验证过程需要执行以下步骤:

  1. 使用主公钥验证签署人公钥。

  2. 使用签署人公钥验证 AWS SAM CLI 软件包安装程序。

验证签署人公钥的完整性
  1. 复制主公钥并将其作为 .txt 文件保存到本地计算机。例如 primary-public-key.txt

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG v2.0.22 (GNU/Linux)
    
    mQINBGRuSzMBEADsqiwOy78w7F4+sshaMFRIwRGNRm94p5Qey2KMZBxekFtoryVD
    D9jEOnvupx4tvhfBHz5EcUHCEOdl4MTqdBy6vVAshozgxVb9RE8JpECn5lw7XC69
    4Y7Gy1TKKQMEWtDXElkGxIFdUWvWjSnPlzfnoXwQYGeE93CUS3h5dImP22Yk1Ct6
    eGGhlcbg1X4L8EpFMj7GvcsU8f7ziVI/PyC1Xwy39Q8/I67ip5eU5ddxO/xHqrbL
    YC7+8pJPbRMej2twT2LrcpWWYAbprMtRoa6WfE0/thoo3xhHpIMHdPfAA86ZNGIN
    kRLjGUg7jnPTRW4Oin3pCc8nT4Tfc1QERkHm641gTC/jUvpmQsM6h/FUVP2i5iE/
    JHpJcMuL2Mg6zDo3x+3gTCf+Wqz3rZzxB+wQT3yryZs6efcQy7nROiRxYBxCSXX0
    2cNYzsYLb/bYaW8yqWIHD5IqKhw269gp2E5Khs60zgS3CorMb5/xHgXjUCVgcu8a
    a8ncdf9fjl3WS5p0ohetPbO2ZjWv+MaqrZOmUIgKbA4RpWZ/fU97P5BW9ylwmIDB
    sWy0cMxg8MlvSdLytPieogaM0qMg3u5qXRGBr6Wmevkty0qgnmpGGc5zPiUbtOE8
    CnFFqyxBpj5IOnG0KZGVihvn+iRxrv6GO7WWO92+Dc6m94U0EEiBR7QiOwARAQAB
    tDRBV1MgU0FNIENMSSBQcmltYXJ5IDxhd3Mtc2FtLWNsaS1wcmltYXJ5QGFtYXpv
    bi5jb20+iQI/BBMBCQApBQJkbkszAhsvBQkHhM4ABwsJCAcDAgEGFQgCCQoLBBYC
    AwECHgECF4AACgkQQv1fenOtiFqTuhAAzi5+ju5UVOWqHKevOJSO08T4QB8HcqAE
    SVO3mY6/j29knkcL8ubZP/DbpV7QpHPI2PB5qSXsiDTP3IYPbeY78zHSDjljaIK3
    njJLMScFeGPyfPpwMsuY4nzrRIgAtXShPA8N/k4ZJcafnpNqKj7QnPxiC1KaIQWm
    pOtvb8msUF3/s0UTa5Ys/lNRhVC0eGg32ogXGdojZA2kHZWdm9udLo4CDrDcrQT7
    NtDcJASapXSQL63XfAS3snEc4e1941YxcjfYZ33rel8K9juyDZfi1slWR/L3AviI
    QFIaqSHzyOtP1oinUkoVwL8ThevKD3Ag9CZflZLzNCV7yqlF8RlhEZ4zcE/3s9El
    WzCFsozb5HfE1AZonmrDh3SyOEIBMcS6vG5dWnvJrAuSYv2rX38++K5Pr/MIAfOX
    DOI1rtA+XDsHNv9lSwSy0lt+iClawZANO9IXCiN1rOYcVQlwzDFwCNWDgkwdOqS0
    gOA2f8NF9lE5nBbeEuYquoOl1Vy8+ICbgOFs9LoWZlnVh7/RyY6ssowiU9vGUnHI
    L8f9jqRspIz/Fm3JD86ntZxLVGkeZUz62FqErdohYfkFIVcv7GONTEyrz5HLlnpv
    FJ0MR0HjrMrZrnOVZnwBKhpbLocTsH+3t5It4ReYEX0f1DIOL/KRwPvjMvBVkXY5
    hblRVDQoOWc=
    =d9oG
    -----END PGP PUBLIC KEY BLOCK-----
  2. 将主公钥导入到您的密钥环中。

    $ gpg --import primary-public-key.txt gpg: directory `/home/.../.gnupg' created gpg: new configuration file `/home/.../.gnupg/gpg.conf' created gpg: WARNING: options in `/home/.../.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/.../.gnupg/secring.gpg' created gpg: keyring `/home/.../.gnupg/pubring.gpg' created gpg: /home/.../.gnupg/trustdb.gpg: trustdb created gpg: key 73AD885A: public key "AWS SAM CLI Primary <aws-sam-cli-primary@amazon.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
  3. 复制签署人公钥并将其作为 .txt 文件保存到本地计算机。例如 signer-public-key.txt

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG v2.0.22 (GNU/Linux)
    
    mQINBGgrxIgBEADGCTudveeeVbWpZDGX9Ni57mBRMVSJwQJ6F/PC34jw0DozxTtd
    H+ZPsXLvLwerN/DVXbK8E1qNZ5RGptak8j7MPz+MC3n4txibEJpB61vpjJJM+9cC
    7whaMLDT/SbykHYXdrnHqa8KsUJl7rPLJcaRN722NSxvYVMIOA9ffVXV7cfEyZi5
    MbYF2Gc9LNbKaknImIva7EKeeh2/wI6YCqC5yytyfWU5dL6oHXsgTnFL9mhziMxv
    WhyzawyJG6EJZsJ3WLlbIKApN6XZSXyCxOvlBrebYZjD5v0nA+TJaQ7is8atjtOI
    DGe0AViw7kO8ChTpjA7YG/Uu7n/Fy7qLF/3Nz0b6cBNjemjBazQ3A3KNCpi5hqFM
    Uo1WpoVLr5CXQnc0B3fBUnTIoxi0Sk5MKjH9AbYxfgqEX0ZJB9hAlc6LIEy0Yru6
    MMBrIHE86IMl1NfE/DeLnCdPG23+1PttwyOt3+9z5QwmPe3VPpEfCySPcdxHKZSP
    rLile8qDznEvlPDvQ0qkBxdMtVa2yct5VJkdqy6UrN2xa0dpspHjRUjHh/EY/xMt
    fwMUjOKohaZ/1pjotCcksAsZWUxCNcFvLYxuxeytVk4F09Es1hj4ihhLUI+43/ic
    3DHSEiext7Q8/UccNArkhSCT7UOvvL7QTuP+pjYTyiC8Vx6g/Y5Ht5+qywARAQAB
    tDBBV1MgU0FNIENMSSBUZWFtIDxhd3Mtc2FtLWNsaS1zaWduZXJAYW1hem9uLmNv
    bT6JAj8EEwEJACkFAmgrxIgCGy8FCQPCZwAHCwkIBwMCAQYVCAIJCgsEFgIDAQIe
    AQIXgAAKCRBAlKuxvt/atJo6EAC/5C8uJs76W5f5V5XNAMzwBFiZuYpop3DRReCo
    P68ZZylokAC9ShRZnIOujpDJtlNS7T/G00BzmcpspkYYE531ALaXcHWmb9XV0Ajg
    J8iboAVBLY0C7mhL/cbJ3v9QlpXXjyTuhexkJCV8rdHVX/0H8WqTZplEaRuZ7p8q
    PMxddg4ClwstYuH3O/dmNdlGqfb4Fqy8MnV1yGSXRs5Jf+sDlN2UO4mbpyk/mr1c
    f/jFxmx86IkCWJVvdXWCVTe2AFy3NHCdLtdnEvFhokCOQd9wibUWX0j9vq4cVRZT
    qamnpAQaOlH3lXOwrjqo8b1AIPoRWSfMtCYvh6kA8MAJv4cAznzXILSLtOE0mzaU
    qp5qoy37wNIjeztX6c/q4wss05qTlJhnNu4s3nh5VHultooaYpmDxp+ala5TWeuM
    KZDI4KdAGF4z0Raif+N53ndOYIiXkY0goUbsPCnVrCwoK9PjjyoJncq7c14wNl5O
    IQUZEjyYAQDGZqs5XSfY4zW2cCXatrfozKF7R1kSU14DfJwPUyksoNAQEQezfXyq
    kr0gfIWK1r2nMdqS7WgSx/ypS5kdyrHuPZdaYfEVtuezpoT2lQQxOSZqqlp5hI4R
    nqmPte53WXJhbC0tgTIJWn+Uy/d5Q/aSIfD6o8gNLS1BDs1j1ku0XKu1sFCHUcZG
    aerdsIkCHAQQAQkABgUCaCvFeAAKCRBC/V96c62IWt3/D/9gOLzWtz62lqJRCsri
    wcA/yz88ayKb/GUv3FCT5Nd9JZt8y1tW+AE3SPTdcpfZmt5UN2sRzljO61mpKJzp
    eBvYQ9og/34ZrRQqeg8bz02u34LKYl1gD0xY0bWtB7TGIxIZZYqZECoPR0Dp6ZzB
    abzkRSsJkEk0vbZzJhfWFYs98qfp/G0suFSBE79O8Am33DB2jQ/Sollh1VmNE6Sv
    EOgR6+2yEkS2D0+msJMa/V82v9gBTPnxSlNV1d8Dduvt9rbM3LoxiNXUgx/s52yY
    U6H3bwUcQ3UY6uRe1UWo5QnMFcDwfg43+q5rmjB4xQyX/BaQyF5K0hZyG+42/pH1
    EMwl8qN617FTxo3hvQUi/cBahlhQ8EVYsGnHDVxLCisbq5iZvp7+XtmMy1Q417gT
    EQRo8feJh31elGWlccVR2pZgIm1PQ69dzzseHnnKkGhifik0bDGo5/IH2EgI1KFn
    SG399RMU/qRzOPLVP3i+zSJmhMqG8cnZaUwE5V4P21vQSclhhd2Hv/C4SVKNqA2i
    +oZbHj2vAkuzTTL075AoANebEjPGqwsKZi5mWUE5Pa931JeiXxWZlEB7rkgQ1PAB
    fsDBhYLt4MxCWAhifLMA6uQ4BhXu2RuXOqNfSbqa8jVF6DB6cD8eAHGpPKfJOl30
    LtZnq+n4SfeNbZjD2FQWZR4CrA==
    =lHfs
    -----END PGP PUBLIC KEY BLOCK-----
  4. 将签署人公钥导入到您的密钥环中。

    $ gpg --import signer-public-key.txt gpg: key 4094ABB1BEDFDAB4: public key "AWS SAM CLI Team <aws-sam-cli-signer@amazon.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: no ultimately trusted keys found

    记下输出中的密钥值。例如 4094ABB1BEDFDAB4

  5. 使用密钥值获取并验证签署人公钥的指纹。

    $ gpg --fingerprint 4094ABB1BEDFDAB4 pub rsa4096 2025-05-19 [SCEA] [expires: 2027-05-19] EF46 3E86 CA31 933B B688 CC1A 4094 ABB1 BEDF DAB4 uid [ unknown] AWS SAM CLI Team <aws-sam-cli-signer@amazon.com>

    指纹应与以下内容匹配:

    EF46 3E86 CA31 933B B688  CC1A 4094 ABB1 BEDF DAB4

    如果指纹字符串不匹配,请不要使用 AWS SAM CLI 安装程序。通过在 aws-sam- GitHub cli 存储库中创建问题来上报给 AWS SAM 团队。

  6. 验证签署人公钥的签名:

    $ gpg --check-sigs 4094ABB1BEDFDAB4 pub rsa4096 2025-05-19 [SCEA] [expires: 2027-05-19] EF463E86CA31933BB688CC1A4094ABB1BEDFDAB4 uid [ unknown] AWS SAM CLI Team <aws-sam-cli-signer@amazon.com> sig!3 4094ABB1BEDFDAB4 2025-05-19 [self-signature] sig! 42FD5F7A73AD885A 2025-05-19 AWS SAM CLI Primary <aws-sam-cli-primary@amazon.com>

    如果看到 1 signature not checked due to a missing key,请重复前面的步骤,将主公钥和签署人公钥导入到密钥环中。

    您应该会看到列出的主公钥和签署人公钥的密钥值。

现在,您已经验证了签署人公钥的完整性,您可以使用签署人公钥来验证 AWS SAM CLI 软件包安装程序。

验证的完整性 AWS SAM CLI 软件包安装程序
  1. 获取 AWS SAM CLI 软件包签名文件 - 使用以下命令下载 AWS SAM CLI 软件包安装程序的签名文件:

    $ wget https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-arm64.zip.sig
  2. 验证签名文件 – 将两个下载 .sig.zip 文件作为参数传递给 gpg 命令。以下是示例:

    $ gpg --verify aws-sam-cli-linux-arm64.zip.sig aws-sam-cli-linux-arm64.zip

    该输出值应该类似于以下内容:

    gpg: Signature made Mon 19 May 2025 01:21:57 AM UTC using RSA key ID 4094ABB1BEDFDAB4
    gpg: Good signature from "AWS SAM CLI Team <aws-sam-cli-signer@amazon.com>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: EF46 3E86 CA31 933B B688  CC1A 4094 ABB1 BEDF DAB4
    • 可以忽略消息WARNING: This key is not certified with a trusted signature!。之所以出现此警告,是因为您的个人 PGP 密钥(如果您有)和 AWS SAM CLI 密钥之间没有信任链。有关更多信息,请参阅信任 Web

    • 如果输出包含短语 BAD signature,则检查是否正确执行了此过程。如果您继续收到此回复,请通过在 aws-sam-cli GitHub 存储库创建问题来上报给 AWS SAM 团队,并避免使用下载的文件。

    消息Good signature from "AWS SAM CLI Team <aws-sam-cli-signer@amazon.com>"表示签名已通过验证,您可以继续安装。

x86_64 - 命令行安装程序

AWS SAM 使用 GnuPG 对.zip 安装程序进行签名 AWS SAMCLI。验证过程需要执行以下步骤:

  1. 使用主公钥验证签署人公钥。

  2. 使用签署人公钥验证 AWS SAM CLI 软件包安装程序。

验证签署人公钥的完整性
  1. 复制主公钥并将其作为 .txt 文件保存到本地计算机。例如 primary-public-key.txt

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG v2.0.22 (GNU/Linux)
    
    mQINBGRuSzMBEADsqiwOy78w7F4+sshaMFRIwRGNRm94p5Qey2KMZBxekFtoryVD
    D9jEOnvupx4tvhfBHz5EcUHCEOdl4MTqdBy6vVAshozgxVb9RE8JpECn5lw7XC69
    4Y7Gy1TKKQMEWtDXElkGxIFdUWvWjSnPlzfnoXwQYGeE93CUS3h5dImP22Yk1Ct6
    eGGhlcbg1X4L8EpFMj7GvcsU8f7ziVI/PyC1Xwy39Q8/I67ip5eU5ddxO/xHqrbL
    YC7+8pJPbRMej2twT2LrcpWWYAbprMtRoa6WfE0/thoo3xhHpIMHdPfAA86ZNGIN
    kRLjGUg7jnPTRW4Oin3pCc8nT4Tfc1QERkHm641gTC/jUvpmQsM6h/FUVP2i5iE/
    JHpJcMuL2Mg6zDo3x+3gTCf+Wqz3rZzxB+wQT3yryZs6efcQy7nROiRxYBxCSXX0
    2cNYzsYLb/bYaW8yqWIHD5IqKhw269gp2E5Khs60zgS3CorMb5/xHgXjUCVgcu8a
    a8ncdf9fjl3WS5p0ohetPbO2ZjWv+MaqrZOmUIgKbA4RpWZ/fU97P5BW9ylwmIDB
    sWy0cMxg8MlvSdLytPieogaM0qMg3u5qXRGBr6Wmevkty0qgnmpGGc5zPiUbtOE8
    CnFFqyxBpj5IOnG0KZGVihvn+iRxrv6GO7WWO92+Dc6m94U0EEiBR7QiOwARAQAB
    tDRBV1MgU0FNIENMSSBQcmltYXJ5IDxhd3Mtc2FtLWNsaS1wcmltYXJ5QGFtYXpv
    bi5jb20+iQI/BBMBCQApBQJkbkszAhsvBQkHhM4ABwsJCAcDAgEGFQgCCQoLBBYC
    AwECHgECF4AACgkQQv1fenOtiFqTuhAAzi5+ju5UVOWqHKevOJSO08T4QB8HcqAE
    SVO3mY6/j29knkcL8ubZP/DbpV7QpHPI2PB5qSXsiDTP3IYPbeY78zHSDjljaIK3
    njJLMScFeGPyfPpwMsuY4nzrRIgAtXShPA8N/k4ZJcafnpNqKj7QnPxiC1KaIQWm
    pOtvb8msUF3/s0UTa5Ys/lNRhVC0eGg32ogXGdojZA2kHZWdm9udLo4CDrDcrQT7
    NtDcJASapXSQL63XfAS3snEc4e1941YxcjfYZ33rel8K9juyDZfi1slWR/L3AviI
    QFIaqSHzyOtP1oinUkoVwL8ThevKD3Ag9CZflZLzNCV7yqlF8RlhEZ4zcE/3s9El
    WzCFsozb5HfE1AZonmrDh3SyOEIBMcS6vG5dWnvJrAuSYv2rX38++K5Pr/MIAfOX
    DOI1rtA+XDsHNv9lSwSy0lt+iClawZANO9IXCiN1rOYcVQlwzDFwCNWDgkwdOqS0
    gOA2f8NF9lE5nBbeEuYquoOl1Vy8+ICbgOFs9LoWZlnVh7/RyY6ssowiU9vGUnHI
    L8f9jqRspIz/Fm3JD86ntZxLVGkeZUz62FqErdohYfkFIVcv7GONTEyrz5HLlnpv
    FJ0MR0HjrMrZrnOVZnwBKhpbLocTsH+3t5It4ReYEX0f1DIOL/KRwPvjMvBVkXY5
    hblRVDQoOWc=
    =d9oG
    -----END PGP PUBLIC KEY BLOCK-----
  2. 将主公钥导入到您的密钥环中。

    $ gpg --import primary-public-key.txt gpg: directory `/home/.../.gnupg' created gpg: new configuration file `/home/.../.gnupg/gpg.conf' created gpg: WARNING: options in `/home/.../.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/.../.gnupg/secring.gpg' created gpg: keyring `/home/.../.gnupg/pubring.gpg' created gpg: /home/.../.gnupg/trustdb.gpg: trustdb created gpg: key 73AD885A: public key "AWS SAM CLI Primary <aws-sam-cli-primary@amazon.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
  3. 复制签署人公钥并将其作为 .txt 文件保存到本地计算机。例如 signer-public-key.txt

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG v2.0.22 (GNU/Linux)
    
    mQINBGgrxIgBEADGCTudveeeVbWpZDGX9Ni57mBRMVSJwQJ6F/PC34jw0DozxTtd
    H+ZPsXLvLwerN/DVXbK8E1qNZ5RGptak8j7MPz+MC3n4txibEJpB61vpjJJM+9cC
    7whaMLDT/SbykHYXdrnHqa8KsUJl7rPLJcaRN722NSxvYVMIOA9ffVXV7cfEyZi5
    MbYF2Gc9LNbKaknImIva7EKeeh2/wI6YCqC5yytyfWU5dL6oHXsgTnFL9mhziMxv
    WhyzawyJG6EJZsJ3WLlbIKApN6XZSXyCxOvlBrebYZjD5v0nA+TJaQ7is8atjtOI
    DGe0AViw7kO8ChTpjA7YG/Uu7n/Fy7qLF/3Nz0b6cBNjemjBazQ3A3KNCpi5hqFM
    Uo1WpoVLr5CXQnc0B3fBUnTIoxi0Sk5MKjH9AbYxfgqEX0ZJB9hAlc6LIEy0Yru6
    MMBrIHE86IMl1NfE/DeLnCdPG23+1PttwyOt3+9z5QwmPe3VPpEfCySPcdxHKZSP
    rLile8qDznEvlPDvQ0qkBxdMtVa2yct5VJkdqy6UrN2xa0dpspHjRUjHh/EY/xMt
    fwMUjOKohaZ/1pjotCcksAsZWUxCNcFvLYxuxeytVk4F09Es1hj4ihhLUI+43/ic
    3DHSEiext7Q8/UccNArkhSCT7UOvvL7QTuP+pjYTyiC8Vx6g/Y5Ht5+qywARAQAB
    tDBBV1MgU0FNIENMSSBUZWFtIDxhd3Mtc2FtLWNsaS1zaWduZXJAYW1hem9uLmNv
    bT6JAj8EEwEJACkFAmgrxIgCGy8FCQPCZwAHCwkIBwMCAQYVCAIJCgsEFgIDAQIe
    AQIXgAAKCRBAlKuxvt/atJo6EAC/5C8uJs76W5f5V5XNAMzwBFiZuYpop3DRReCo
    P68ZZylokAC9ShRZnIOujpDJtlNS7T/G00BzmcpspkYYE531ALaXcHWmb9XV0Ajg
    J8iboAVBLY0C7mhL/cbJ3v9QlpXXjyTuhexkJCV8rdHVX/0H8WqTZplEaRuZ7p8q
    PMxddg4ClwstYuH3O/dmNdlGqfb4Fqy8MnV1yGSXRs5Jf+sDlN2UO4mbpyk/mr1c
    f/jFxmx86IkCWJVvdXWCVTe2AFy3NHCdLtdnEvFhokCOQd9wibUWX0j9vq4cVRZT
    qamnpAQaOlH3lXOwrjqo8b1AIPoRWSfMtCYvh6kA8MAJv4cAznzXILSLtOE0mzaU
    qp5qoy37wNIjeztX6c/q4wss05qTlJhnNu4s3nh5VHultooaYpmDxp+ala5TWeuM
    KZDI4KdAGF4z0Raif+N53ndOYIiXkY0goUbsPCnVrCwoK9PjjyoJncq7c14wNl5O
    IQUZEjyYAQDGZqs5XSfY4zW2cCXatrfozKF7R1kSU14DfJwPUyksoNAQEQezfXyq
    kr0gfIWK1r2nMdqS7WgSx/ypS5kdyrHuPZdaYfEVtuezpoT2lQQxOSZqqlp5hI4R
    nqmPte53WXJhbC0tgTIJWn+Uy/d5Q/aSIfD6o8gNLS1BDs1j1ku0XKu1sFCHUcZG
    aerdsIkCHAQQAQkABgUCaCvFeAAKCRBC/V96c62IWt3/D/9gOLzWtz62lqJRCsri
    wcA/yz88ayKb/GUv3FCT5Nd9JZt8y1tW+AE3SPTdcpfZmt5UN2sRzljO61mpKJzp
    eBvYQ9og/34ZrRQqeg8bz02u34LKYl1gD0xY0bWtB7TGIxIZZYqZECoPR0Dp6ZzB
    abzkRSsJkEk0vbZzJhfWFYs98qfp/G0suFSBE79O8Am33DB2jQ/Sollh1VmNE6Sv
    EOgR6+2yEkS2D0+msJMa/V82v9gBTPnxSlNV1d8Dduvt9rbM3LoxiNXUgx/s52yY
    U6H3bwUcQ3UY6uRe1UWo5QnMFcDwfg43+q5rmjB4xQyX/BaQyF5K0hZyG+42/pH1
    EMwl8qN617FTxo3hvQUi/cBahlhQ8EVYsGnHDVxLCisbq5iZvp7+XtmMy1Q417gT
    EQRo8feJh31elGWlccVR2pZgIm1PQ69dzzseHnnKkGhifik0bDGo5/IH2EgI1KFn
    SG399RMU/qRzOPLVP3i+zSJmhMqG8cnZaUwE5V4P21vQSclhhd2Hv/C4SVKNqA2i
    +oZbHj2vAkuzTTL075AoANebEjPGqwsKZi5mWUE5Pa931JeiXxWZlEB7rkgQ1PAB
    fsDBhYLt4MxCWAhifLMA6uQ4BhXu2RuXOqNfSbqa8jVF6DB6cD8eAHGpPKfJOl30
    LtZnq+n4SfeNbZjD2FQWZR4CrA==
    =lHfs
    -----END PGP PUBLIC KEY BLOCK-----
  4. 将签署人公钥导入到您的密钥环中。

    $ gpg --import signer-public-key.txt gpg: key 4094ABB1BEDFDAB4: public key "AWS SAM CLI Team <aws-sam-cli-signer@amazon.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: no ultimately trusted keys found

    记下输出中的密钥值。例如 4094ABB1BEDFDAB4

  5. 使用密钥值获取并验证签署人公钥的指纹。

    $ gpg --fingerprint 4094ABB1BEDFDAB4 pub rsa4096 2025-05-19 [SCEA] [expires: 2027-05-19] EF46 3E86 CA31 933B B688 CC1A 4094 ABB1 BEDF DAB4 uid [ unknown] AWS SAM CLI Team <aws-sam-cli-signer@amazon.com>

    指纹应与以下内容匹配:

    EF46 3E86 CA31 933B B688  CC1A 4094 ABB1 BEDF DAB4

    如果指纹字符串不匹配,请不要使用 AWS SAM CLI 安装程序。通过在 aws-sam- GitHub cli 存储库中创建问题来上报给 AWS SAM 团队。

  6. 验证签署人公钥的签名:

    $ gpg --check-sigs 4094ABB1BEDFDAB4 pub rsa4096 2025-05-19 [SCEA] [expires: 2027-05-19] EF463E86CA31933BB688CC1A4094ABB1BEDFDAB4 uid [ unknown] AWS SAM CLI Team <aws-sam-cli-signer@amazon.com> sig!3 4094ABB1BEDFDAB4 2025-05-19 [self-signature] sig! 42FD5F7A73AD885A 2025-05-19 AWS SAM CLI Primary <aws-sam-cli-primary@amazon.com>

    如果看到 1 signature not checked due to a missing key,请重复前面的步骤,将主公钥和签署人公钥导入到密钥环中。

    您应该会看到列出的主公钥和签署人公钥的密钥值。

现在,您已经验证了签署人公钥的完整性,您可以使用签署人公钥来验证 AWS SAM CLI 软件包安装程序。

验证的完整性 AWS SAM CLI 软件包安装程序
  1. 获取 AWS SAM CLI 软件包签名文件 - 使用以下命令下载 AWS SAM CLI 软件包安装程序的签名文件:

    $ wget https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-x86_64.zip.sig
  2. 验证签名文件 – 将两个下载 .sig.zip 文件作为参数传递给 gpg 命令。以下是示例:

    $ gpg --verify aws-sam-cli-linux-x86_64.zip.sig aws-sam-cli-linux-x86_64.zip

    该输出值应该类似于以下内容:

    gpg: Signature made Mon 19 May 2025 01:21:57 AM UTC using RSA key ID 4094ABB1BEDFDAB4
    gpg: Good signature from "AWS SAM CLI Team <aws-sam-cli-signer@amazon.com>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: EF46 3E86 CA31 933B B688  CC1A 4094 ABB1 BEDF DAB4
    • 可以忽略消息WARNING: This key is not certified with a trusted signature!。之所以出现此警告,是因为您的个人 PGP 密钥(如果您有)和 AWS SAM CLI 密钥之间没有信任链。有关更多信息,请参阅信任 Web

    • 如果输出包含短语 BAD signature,则检查是否正确执行了此过程。如果您继续收到此回复,请通过在 aws-sam-cli GitHub 存储库创建问题来上报给 AWS SAM 团队,并避免使用下载的文件。

    消息Good signature from "AWS SAM CLI Team <aws-sam-cli-signer@amazon.com>"表示签名已通过验证,您可以继续安装。

macOS

GUI 和命令行安装程序

您可以使用 pkgutil 工具或手动验证 AWS SAM CLI 软件包安装程序签名文件的完整性。

使用 pkgutil 进行验证
  1. 运行以下命令,提供下载的安装程序在本地计算机上的路径:

    $ pkgutil --check-signature /path/to/aws-sam-cli-installer.pkg

    以下是示例:

    $ pkgutil --check-signature /Users/user/Downloads/aws-sam-cli-macos-arm64.pkg
  2. 从输出中找到 Developer ID Installer: AMZN Mobile LLC 的 SHA256 fingerprint。以下是示例:

    Package "aws-sam-cli-macos-arm64.pkg":
       Status: signed by a developer certificate issued by Apple for distribution
       Notarization: trusted by the Apple notary service
       Signed with a trusted timestamp on: 2026-01-28 07:39:16 +0000
       Certificate Chain:
        1. Developer ID Installer: AMZN Mobile LLC (94KV3E626L)
           Expires: 2030-09-26 00:18:06 +0000
           SHA256 Fingerprint:
               5C 45 BE 63 FD 52 10 07 2D 66 56 77 5C A9 FF 25 91 6D 3F 01 F7 0E
               9A 8A 05 F6 2D 62 B2 88 8D A9
           ------------------------------------------------------------------------
        2. Developer ID Certification Authority
           Expires: 2031-09-17 00:00:00 +0000
           SHA256 Fingerprint:
               F1 6C D3 C5 4C 7F 83 CE A4 BF 1A 3E 6A 08 19 C8 AA A8 E4 A1 52 8F
               D1 44 71 5F 35 06 43 D2 DF 3A
           ------------------------------------------------------------------------
        3. Apple Root CA
           Expires: 2035-02-09 21:40:36 +0000
           SHA256 Fingerprint:
               B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
               68 C5 BE 91 B5 A1 10 01 F0 24
  3. Developer ID Installer: AMZN Mobile LLC SHA256 fingerprint 应匹配以下值:

    5C 45 BE 63 FD 52 10 07 2D 66 56 77 5C A9 FF 25 91 6D 3F 01 F7 0E 9A 8A 05 F6 2D 62 B2 88 8D A9

    如果指纹字符串不匹配,请不要使用 AWS SAM CLI 安装程序。通过在 aws-sam- GitHub cli 存储库中创建问题来上报给 AWS SAM 团队。如果指纹字符串匹配,您可以继续使用软件包安装程序。

手动验证软件包安装程序

Windows

AWS SAMCLI安装程序打包为Windows操作系统的MSI文件。

验证安装程序的完整性
  1. Right-click 在安装程序上打开属性窗口。

  2. 选择数字签名选项卡。

  3. 签名列表中,选择 Amazon Web Services, Inc.,然后选择详细信息

  4. 选择常规选项卡 (如果尚未选择),然后选择查看证书

  5. 选择详细信息选项卡,然后选择显示下拉列表中的全部 (如果尚未选择)。

  6. 向下滚动直至您看到指纹字段,然后选择指纹。这将在下部窗口中显示整个指纹值。

  7. 将指纹值与以下值进行匹配。如果值匹配,就继续安装。如果不是,请通过在 aws-sam- GitHub cli 存储库中创建问题来上报给 AWS SAM 团队。

    6c 4e f0 59 67 db 0a 2c 69 87 17 31 ec 9e 51 5d 7c d6 e9 52

验证哈希值

Linux

x86_64 - 命令行安装程序

使用以下命令生成哈希值,验证下载的安装程序文件的完整性和真实性:

$ sha256sum aws-sam-cli-linux-x86_64.zip

输出应与以下示例类似:

<64-character SHA256 hash value> aws-sam-cli-linux-x86_64.zip

在的AWS SAMCLI发行说明中,将 64 个字符的 SHA-256 哈希值与所需 AWS SAMCLI版本的哈希值进行GitHub比较。

macOS

GUI 和命令行安装程序

使用以下命令生成哈希值,验证下载的安装程序的完整性和真实性:

$ shasum -a 256 path-to-pkg-installer/name-of-pkg-installer # Examples $ shasum -a 256 ~/Downloads/aws-sam-cli-macos-arm64.pkg $ shasum -a 256 ~/Downloads/aws-sam-cli-macos-x86_64.pkg

将 64 个字符的 SHA-256 哈希值与AWS SAMCLI发行说明GitHub存储库中的相应值进行比较。