本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 選用:驗證安裝程式的 AWS SAM CLI完整性
使用套件安裝程式安裝 AWS Serverless Application Model 命令列界面 (AWS SAM CLI) 時,您可以在安裝之前驗證其完整性。這是選用但強烈建議的步驟。
您可用的兩個驗證選項是:
+ 驗證套件安裝程式簽章檔案。
+ 驗證套件安裝程式雜湊值。
適用於您的平台時,建議您驗證簽章檔案選項。此選項提供額外的安全層,因為金鑰值會在此處發佈,並與儲存GitHub庫分開管理。
**Topics**
+ [驗證安裝程式簽章檔案](#reference-sam-cli-install-verify-signature)
+ [驗證雜湊值](#reference-sam-cli-install-verify-hash)
## 驗證安裝程式簽章檔案
### Linux
#### arm64 - 命令列安裝程式
AWS SAM 使用 [GnuPG](https://www.gnupg.org/) 簽署 AWS SAM CLI .zip 安裝程式。驗證會在下列步驟中執行:
1. 使用主要公有金鑰來驗證簽署者公有金鑰。
1. 使用簽署者公有金鑰來驗證 AWS SAM CLI套件安裝程式。
**驗證簽署者公有金鑰的完整性**
1. 複製主要公有金鑰,並將其儲存為 `.txt` 檔案到您的本機電腦。例如 *`primary-public-key.txt`*。
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mQINBGRuSzMBEADsqiwOy78w7F4+sshaMFRIwRGNRm94p5Qey2KMZBxekFtoryVD
D9jEOnvupx4tvhfBHz5EcUHCEOdl4MTqdBy6vVAshozgxVb9RE8JpECn5lw7XC69
4Y7Gy1TKKQMEWtDXElkGxIFdUWvWjSnPlzfnoXwQYGeE93CUS3h5dImP22Yk1Ct6
eGGhlcbg1X4L8EpFMj7GvcsU8f7ziVI/PyC1Xwy39Q8/I67ip5eU5ddxO/xHqrbL
YC7+8pJPbRMej2twT2LrcpWWYAbprMtRoa6WfE0/thoo3xhHpIMHdPfAA86ZNGIN
kRLjGUg7jnPTRW4Oin3pCc8nT4Tfc1QERkHm641gTC/jUvpmQsM6h/FUVP2i5iE/
JHpJcMuL2Mg6zDo3x+3gTCf+Wqz3rZzxB+wQT3yryZs6efcQy7nROiRxYBxCSXX0
2cNYzsYLb/bYaW8yqWIHD5IqKhw269gp2E5Khs60zgS3CorMb5/xHgXjUCVgcu8a
a8ncdf9fjl3WS5p0ohetPbO2ZjWv+MaqrZOmUIgKbA4RpWZ/fU97P5BW9ylwmIDB
sWy0cMxg8MlvSdLytPieogaM0qMg3u5qXRGBr6Wmevkty0qgnmpGGc5zPiUbtOE8
CnFFqyxBpj5IOnG0KZGVihvn+iRxrv6GO7WWO92+Dc6m94U0EEiBR7QiOwARAQAB
tDRBV1MgU0FNIENMSSBQcmltYXJ5IDxhd3Mtc2FtLWNsaS1wcmltYXJ5QGFtYXpv
bi5jb20+iQI/BBMBCQApBQJkbkszAhsvBQkHhM4ABwsJCAcDAgEGFQgCCQoLBBYC
AwECHgECF4AACgkQQv1fenOtiFqTuhAAzi5+ju5UVOWqHKevOJSO08T4QB8HcqAE
SVO3mY6/j29knkcL8ubZP/DbpV7QpHPI2PB5qSXsiDTP3IYPbeY78zHSDjljaIK3
njJLMScFeGPyfPpwMsuY4nzrRIgAtXShPA8N/k4ZJcafnpNqKj7QnPxiC1KaIQWm
pOtvb8msUF3/s0UTa5Ys/lNRhVC0eGg32ogXGdojZA2kHZWdm9udLo4CDrDcrQT7
NtDcJASapXSQL63XfAS3snEc4e1941YxcjfYZ33rel8K9juyDZfi1slWR/L3AviI
QFIaqSHzyOtP1oinUkoVwL8ThevKD3Ag9CZflZLzNCV7yqlF8RlhEZ4zcE/3s9El
WzCFsozb5HfE1AZonmrDh3SyOEIBMcS6vG5dWnvJrAuSYv2rX38++K5Pr/MIAfOX
DOI1rtA+XDsHNv9lSwSy0lt+iClawZANO9IXCiN1rOYcVQlwzDFwCNWDgkwdOqS0
gOA2f8NF9lE5nBbeEuYquoOl1Vy8+ICbgOFs9LoWZlnVh7/RyY6ssowiU9vGUnHI
L8f9jqRspIz/Fm3JD86ntZxLVGkeZUz62FqErdohYfkFIVcv7GONTEyrz5HLlnpv
FJ0MR0HjrMrZrnOVZnwBKhpbLocTsH+3t5It4ReYEX0f1DIOL/KRwPvjMvBVkXY5
hblRVDQoOWc=
=d9oG
-----END PGP PUBLIC KEY BLOCK-----
```
1. 將主要公有金鑰匯入至 keyring。
```
$ gpg --import primary-public-key.txt
gpg: directory `/home/.../.gnupg' created
gpg: new configuration file `/home/.../.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/.../.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/.../.gnupg/secring.gpg' created
gpg: keyring `/home/.../.gnupg/pubring.gpg' created
gpg: /home/.../.gnupg/trustdb.gpg: trustdb created
gpg: key 73AD885A: public key "AWS SAM CLI Primary " imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
```
1. 複製簽署者公有金鑰並將其儲存到本機電腦做為`.txt`檔案。例如 *`signer-public-key.txt`*。
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mQINBGgrxIgBEADGCTudveeeVbWpZDGX9Ni57mBRMVSJwQJ6F/PC34jw0DozxTtd
H+ZPsXLvLwerN/DVXbK8E1qNZ5RGptak8j7MPz+MC3n4txibEJpB61vpjJJM+9cC
7whaMLDT/SbykHYXdrnHqa8KsUJl7rPLJcaRN722NSxvYVMIOA9ffVXV7cfEyZi5
MbYF2Gc9LNbKaknImIva7EKeeh2/wI6YCqC5yytyfWU5dL6oHXsgTnFL9mhziMxv
WhyzawyJG6EJZsJ3WLlbIKApN6XZSXyCxOvlBrebYZjD5v0nA+TJaQ7is8atjtOI
DGe0AViw7kO8ChTpjA7YG/Uu7n/Fy7qLF/3Nz0b6cBNjemjBazQ3A3KNCpi5hqFM
Uo1WpoVLr5CXQnc0B3fBUnTIoxi0Sk5MKjH9AbYxfgqEX0ZJB9hAlc6LIEy0Yru6
MMBrIHE86IMl1NfE/DeLnCdPG23+1PttwyOt3+9z5QwmPe3VPpEfCySPcdxHKZSP
rLile8qDznEvlPDvQ0qkBxdMtVa2yct5VJkdqy6UrN2xa0dpspHjRUjHh/EY/xMt
fwMUjOKohaZ/1pjotCcksAsZWUxCNcFvLYxuxeytVk4F09Es1hj4ihhLUI+43/ic
3DHSEiext7Q8/UccNArkhSCT7UOvvL7QTuP+pjYTyiC8Vx6g/Y5Ht5+qywARAQAB
tDBBV1MgU0FNIENMSSBUZWFtIDxhd3Mtc2FtLWNsaS1zaWduZXJAYW1hem9uLmNv
bT6JAj8EEwEJACkFAmgrxIgCGy8FCQPCZwAHCwkIBwMCAQYVCAIJCgsEFgIDAQIe
AQIXgAAKCRBAlKuxvt/atJo6EAC/5C8uJs76W5f5V5XNAMzwBFiZuYpop3DRReCo
P68ZZylokAC9ShRZnIOujpDJtlNS7T/G00BzmcpspkYYE531ALaXcHWmb9XV0Ajg
J8iboAVBLY0C7mhL/cbJ3v9QlpXXjyTuhexkJCV8rdHVX/0H8WqTZplEaRuZ7p8q
PMxddg4ClwstYuH3O/dmNdlGqfb4Fqy8MnV1yGSXRs5Jf+sDlN2UO4mbpyk/mr1c
f/jFxmx86IkCWJVvdXWCVTe2AFy3NHCdLtdnEvFhokCOQd9wibUWX0j9vq4cVRZT
qamnpAQaOlH3lXOwrjqo8b1AIPoRWSfMtCYvh6kA8MAJv4cAznzXILSLtOE0mzaU
qp5qoy37wNIjeztX6c/q4wss05qTlJhnNu4s3nh5VHultooaYpmDxp+ala5TWeuM
KZDI4KdAGF4z0Raif+N53ndOYIiXkY0goUbsPCnVrCwoK9PjjyoJncq7c14wNl5O
IQUZEjyYAQDGZqs5XSfY4zW2cCXatrfozKF7R1kSU14DfJwPUyksoNAQEQezfXyq
kr0gfIWK1r2nMdqS7WgSx/ypS5kdyrHuPZdaYfEVtuezpoT2lQQxOSZqqlp5hI4R
nqmPte53WXJhbC0tgTIJWn+Uy/d5Q/aSIfD6o8gNLS1BDs1j1ku0XKu1sFCHUcZG
aerdsIkCHAQQAQkABgUCaCvFeAAKCRBC/V96c62IWt3/D/9gOLzWtz62lqJRCsri
wcA/yz88ayKb/GUv3FCT5Nd9JZt8y1tW+AE3SPTdcpfZmt5UN2sRzljO61mpKJzp
eBvYQ9og/34ZrRQqeg8bz02u34LKYl1gD0xY0bWtB7TGIxIZZYqZECoPR0Dp6ZzB
abzkRSsJkEk0vbZzJhfWFYs98qfp/G0suFSBE79O8Am33DB2jQ/Sollh1VmNE6Sv
EOgR6+2yEkS2D0+msJMa/V82v9gBTPnxSlNV1d8Dduvt9rbM3LoxiNXUgx/s52yY
U6H3bwUcQ3UY6uRe1UWo5QnMFcDwfg43+q5rmjB4xQyX/BaQyF5K0hZyG+42/pH1
EMwl8qN617FTxo3hvQUi/cBahlhQ8EVYsGnHDVxLCisbq5iZvp7+XtmMy1Q417gT
EQRo8feJh31elGWlccVR2pZgIm1PQ69dzzseHnnKkGhifik0bDGo5/IH2EgI1KFn
SG399RMU/qRzOPLVP3i+zSJmhMqG8cnZaUwE5V4P21vQSclhhd2Hv/C4SVKNqA2i
+oZbHj2vAkuzTTL075AoANebEjPGqwsKZi5mWUE5Pa931JeiXxWZlEB7rkgQ1PAB
fsDBhYLt4MxCWAhifLMA6uQ4BhXu2RuXOqNfSbqa8jVF6DB6cD8eAHGpPKfJOl30
LtZnq+n4SfeNbZjD2FQWZR4CrA==
=lHfs
-----END PGP PUBLIC KEY BLOCK-----
```
1. 將簽署者公有金鑰匯入至 keyring。
```
$ gpg --import signer-public-key.txt
gpg: key 4094ABB1BEDFDAB4: public key "AWS SAM CLI Team " imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: no ultimately trusted keys found
```
請記下輸出的索引鍵值。例如 *`4094ABB1BEDFDAB4`*。
1. 使用金鑰值來取得和驗證簽署者公有金鑰指紋。
```
$ gpg --fingerprint 4094ABB1BEDFDAB4
pub rsa4096 2025-05-19 [SCEA] [expires: 2027-05-19]
EF46 3E86 CA31 933B B688 CC1A 4094 ABB1 BEDF DAB4
uid [ unknown] AWS SAM CLI Team
```
指紋應符合下列項目:
```
EF46 3E86 CA31 933B B688 CC1A 4094 ABB1 BEDF DAB4
```
如果指紋字串不相符,請勿使用 AWS SAM CLI安裝程式。在 *aws-sam-cli GitHub 儲存庫*中[建立問題](https://github.com/aws/aws-sam-cli/issues/new?assignees=&labels=stage%2Fneeds-triage&projects=&template=Bug_report.md&title=Bug%3A+TITLE),向 AWS SAM 團隊呈報。
1. 驗證簽署者公有金鑰的簽章:
```
$ gpg --check-sigs 4094ABB1BEDFDAB4
pub rsa4096 2025-05-19 [SCEA] [expires: 2027-05-19]
EF463E86CA31933BB688CC1A4094ABB1BEDFDAB4
uid [ unknown] AWS SAM CLI Team
sig!3 4094ABB1BEDFDAB4 2025-05-19 [self-signature]
sig! 42FD5F7A73AD885A 2025-05-19 AWS SAM CLI Primary
```
如果您看到 `1 signature not checked due to a missing key`,請重複上述步驟,將主要和簽署者公有金鑰匯入至 keyring。
您應該會看到列出的主要公有金鑰和簽署者公有金鑰的金鑰值。
現在您已驗證簽署者公有金鑰的完整性,您可以使用簽署者公有金鑰來驗證 AWS SAM CLI套件安裝程式。
**驗證套件安裝程式的 AWS SAM CLI完整性**
1. **取得 AWS SAM CLI套件簽章檔案** – 使用下列命令下載套件安裝程式的 AWS SAM CLI簽章檔案:
```
$ wget https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-arm64.zip.sig
```
1. **驗證簽章檔案** – 將下載的 `.sig`和 `.zip` 檔案做為參數傳遞至 `gpg`命令。以下是範例:
```
$ gpg --verify aws-sam-cli-linux-arm64.zip.sig aws-sam-cli-linux-arm64.zip
```
輸出格式應類似以下內容:
```
gpg: Signature made Mon 19 May 2025 01:21:57 AM UTC using RSA key ID 4094ABB1BEDFDAB4
gpg: Good signature from "AWS SAM CLI Team "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF46 3E86 CA31 933B B688 CC1A 4094 ABB1 BEDF DAB4
```
+ 您可以忽略`WARNING: This key is not certified with a trusted signature!`訊息。這是因為您的個人 PGP 金鑰 (如果有的話) 與 AWS SAM CLI PGP 金鑰之間沒有信任鏈。如需詳細資訊,請參閱[信任 Web](https://en.wikipedia.org/wiki/Web_of_trust)。
+ 如果輸出包含片語 `BAD signature`,請檢查您是否正確執行程序。如果您繼續取得此回應,請在 *aws-sam-cli GitHub 儲存庫*中[建立問題](https://github.com/aws/aws-sam-cli/issues/new?assignees=&labels=stage%2Fneeds-triage&projects=&template=Bug_report.md&title=Bug%3A+TITLE),並避免使用下載的檔案,以向 AWS SAM 團隊呈報。
`Good signature from "AWS SAM CLI Team "` 訊息表示簽章已經過驗證,您可以繼續進行安裝。
#### x86\$164 - 命令列安裝程式
AWS SAM 使用 [GnuPG](https://www.gnupg.org/) 簽署 AWS SAM CLI .zip 安裝程式。驗證會在下列步驟中執行:
1. 使用主要公有金鑰來驗證簽署者公有金鑰。
1. 使用簽署者公有金鑰來驗證 AWS SAM CLI套件安裝程式。
**驗證簽署者公有金鑰的完整性**
1. 複製主要公有金鑰,並將其儲存為 `.txt` 檔案到您的本機電腦。例如 *`primary-public-key.txt`*。
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mQINBGRuSzMBEADsqiwOy78w7F4+sshaMFRIwRGNRm94p5Qey2KMZBxekFtoryVD
D9jEOnvupx4tvhfBHz5EcUHCEOdl4MTqdBy6vVAshozgxVb9RE8JpECn5lw7XC69
4Y7Gy1TKKQMEWtDXElkGxIFdUWvWjSnPlzfnoXwQYGeE93CUS3h5dImP22Yk1Ct6
eGGhlcbg1X4L8EpFMj7GvcsU8f7ziVI/PyC1Xwy39Q8/I67ip5eU5ddxO/xHqrbL
YC7+8pJPbRMej2twT2LrcpWWYAbprMtRoa6WfE0/thoo3xhHpIMHdPfAA86ZNGIN
kRLjGUg7jnPTRW4Oin3pCc8nT4Tfc1QERkHm641gTC/jUvpmQsM6h/FUVP2i5iE/
JHpJcMuL2Mg6zDo3x+3gTCf+Wqz3rZzxB+wQT3yryZs6efcQy7nROiRxYBxCSXX0
2cNYzsYLb/bYaW8yqWIHD5IqKhw269gp2E5Khs60zgS3CorMb5/xHgXjUCVgcu8a
a8ncdf9fjl3WS5p0ohetPbO2ZjWv+MaqrZOmUIgKbA4RpWZ/fU97P5BW9ylwmIDB
sWy0cMxg8MlvSdLytPieogaM0qMg3u5qXRGBr6Wmevkty0qgnmpGGc5zPiUbtOE8
CnFFqyxBpj5IOnG0KZGVihvn+iRxrv6GO7WWO92+Dc6m94U0EEiBR7QiOwARAQAB
tDRBV1MgU0FNIENMSSBQcmltYXJ5IDxhd3Mtc2FtLWNsaS1wcmltYXJ5QGFtYXpv
bi5jb20+iQI/BBMBCQApBQJkbkszAhsvBQkHhM4ABwsJCAcDAgEGFQgCCQoLBBYC
AwECHgECF4AACgkQQv1fenOtiFqTuhAAzi5+ju5UVOWqHKevOJSO08T4QB8HcqAE
SVO3mY6/j29knkcL8ubZP/DbpV7QpHPI2PB5qSXsiDTP3IYPbeY78zHSDjljaIK3
njJLMScFeGPyfPpwMsuY4nzrRIgAtXShPA8N/k4ZJcafnpNqKj7QnPxiC1KaIQWm
pOtvb8msUF3/s0UTa5Ys/lNRhVC0eGg32ogXGdojZA2kHZWdm9udLo4CDrDcrQT7
NtDcJASapXSQL63XfAS3snEc4e1941YxcjfYZ33rel8K9juyDZfi1slWR/L3AviI
QFIaqSHzyOtP1oinUkoVwL8ThevKD3Ag9CZflZLzNCV7yqlF8RlhEZ4zcE/3s9El
WzCFsozb5HfE1AZonmrDh3SyOEIBMcS6vG5dWnvJrAuSYv2rX38++K5Pr/MIAfOX
DOI1rtA+XDsHNv9lSwSy0lt+iClawZANO9IXCiN1rOYcVQlwzDFwCNWDgkwdOqS0
gOA2f8NF9lE5nBbeEuYquoOl1Vy8+ICbgOFs9LoWZlnVh7/RyY6ssowiU9vGUnHI
L8f9jqRspIz/Fm3JD86ntZxLVGkeZUz62FqErdohYfkFIVcv7GONTEyrz5HLlnpv
FJ0MR0HjrMrZrnOVZnwBKhpbLocTsH+3t5It4ReYEX0f1DIOL/KRwPvjMvBVkXY5
hblRVDQoOWc=
=d9oG
-----END PGP PUBLIC KEY BLOCK-----
```
1. 將主要公有金鑰匯入至 keyring。
```
$ gpg --import primary-public-key.txt
gpg: directory `/home/.../.gnupg' created
gpg: new configuration file `/home/.../.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/.../.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/.../.gnupg/secring.gpg' created
gpg: keyring `/home/.../.gnupg/pubring.gpg' created
gpg: /home/.../.gnupg/trustdb.gpg: trustdb created
gpg: key 73AD885A: public key "AWS SAM CLI Primary " imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
```
1. 複製簽署者公有金鑰並將其儲存到本機電腦做為`.txt`檔案。例如 *`signer-public-key.txt`*。
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mQINBGgrxIgBEADGCTudveeeVbWpZDGX9Ni57mBRMVSJwQJ6F/PC34jw0DozxTtd
H+ZPsXLvLwerN/DVXbK8E1qNZ5RGptak8j7MPz+MC3n4txibEJpB61vpjJJM+9cC
7whaMLDT/SbykHYXdrnHqa8KsUJl7rPLJcaRN722NSxvYVMIOA9ffVXV7cfEyZi5
MbYF2Gc9LNbKaknImIva7EKeeh2/wI6YCqC5yytyfWU5dL6oHXsgTnFL9mhziMxv
WhyzawyJG6EJZsJ3WLlbIKApN6XZSXyCxOvlBrebYZjD5v0nA+TJaQ7is8atjtOI
DGe0AViw7kO8ChTpjA7YG/Uu7n/Fy7qLF/3Nz0b6cBNjemjBazQ3A3KNCpi5hqFM
Uo1WpoVLr5CXQnc0B3fBUnTIoxi0Sk5MKjH9AbYxfgqEX0ZJB9hAlc6LIEy0Yru6
MMBrIHE86IMl1NfE/DeLnCdPG23+1PttwyOt3+9z5QwmPe3VPpEfCySPcdxHKZSP
rLile8qDznEvlPDvQ0qkBxdMtVa2yct5VJkdqy6UrN2xa0dpspHjRUjHh/EY/xMt
fwMUjOKohaZ/1pjotCcksAsZWUxCNcFvLYxuxeytVk4F09Es1hj4ihhLUI+43/ic
3DHSEiext7Q8/UccNArkhSCT7UOvvL7QTuP+pjYTyiC8Vx6g/Y5Ht5+qywARAQAB
tDBBV1MgU0FNIENMSSBUZWFtIDxhd3Mtc2FtLWNsaS1zaWduZXJAYW1hem9uLmNv
bT6JAj8EEwEJACkFAmgrxIgCGy8FCQPCZwAHCwkIBwMCAQYVCAIJCgsEFgIDAQIe
AQIXgAAKCRBAlKuxvt/atJo6EAC/5C8uJs76W5f5V5XNAMzwBFiZuYpop3DRReCo
P68ZZylokAC9ShRZnIOujpDJtlNS7T/G00BzmcpspkYYE531ALaXcHWmb9XV0Ajg
J8iboAVBLY0C7mhL/cbJ3v9QlpXXjyTuhexkJCV8rdHVX/0H8WqTZplEaRuZ7p8q
PMxddg4ClwstYuH3O/dmNdlGqfb4Fqy8MnV1yGSXRs5Jf+sDlN2UO4mbpyk/mr1c
f/jFxmx86IkCWJVvdXWCVTe2AFy3NHCdLtdnEvFhokCOQd9wibUWX0j9vq4cVRZT
qamnpAQaOlH3lXOwrjqo8b1AIPoRWSfMtCYvh6kA8MAJv4cAznzXILSLtOE0mzaU
qp5qoy37wNIjeztX6c/q4wss05qTlJhnNu4s3nh5VHultooaYpmDxp+ala5TWeuM
KZDI4KdAGF4z0Raif+N53ndOYIiXkY0goUbsPCnVrCwoK9PjjyoJncq7c14wNl5O
IQUZEjyYAQDGZqs5XSfY4zW2cCXatrfozKF7R1kSU14DfJwPUyksoNAQEQezfXyq
kr0gfIWK1r2nMdqS7WgSx/ypS5kdyrHuPZdaYfEVtuezpoT2lQQxOSZqqlp5hI4R
nqmPte53WXJhbC0tgTIJWn+Uy/d5Q/aSIfD6o8gNLS1BDs1j1ku0XKu1sFCHUcZG
aerdsIkCHAQQAQkABgUCaCvFeAAKCRBC/V96c62IWt3/D/9gOLzWtz62lqJRCsri
wcA/yz88ayKb/GUv3FCT5Nd9JZt8y1tW+AE3SPTdcpfZmt5UN2sRzljO61mpKJzp
eBvYQ9og/34ZrRQqeg8bz02u34LKYl1gD0xY0bWtB7TGIxIZZYqZECoPR0Dp6ZzB
abzkRSsJkEk0vbZzJhfWFYs98qfp/G0suFSBE79O8Am33DB2jQ/Sollh1VmNE6Sv
EOgR6+2yEkS2D0+msJMa/V82v9gBTPnxSlNV1d8Dduvt9rbM3LoxiNXUgx/s52yY
U6H3bwUcQ3UY6uRe1UWo5QnMFcDwfg43+q5rmjB4xQyX/BaQyF5K0hZyG+42/pH1
EMwl8qN617FTxo3hvQUi/cBahlhQ8EVYsGnHDVxLCisbq5iZvp7+XtmMy1Q417gT
EQRo8feJh31elGWlccVR2pZgIm1PQ69dzzseHnnKkGhifik0bDGo5/IH2EgI1KFn
SG399RMU/qRzOPLVP3i+zSJmhMqG8cnZaUwE5V4P21vQSclhhd2Hv/C4SVKNqA2i
+oZbHj2vAkuzTTL075AoANebEjPGqwsKZi5mWUE5Pa931JeiXxWZlEB7rkgQ1PAB
fsDBhYLt4MxCWAhifLMA6uQ4BhXu2RuXOqNfSbqa8jVF6DB6cD8eAHGpPKfJOl30
LtZnq+n4SfeNbZjD2FQWZR4CrA==
=lHfs
-----END PGP PUBLIC KEY BLOCK-----
```
1. 將簽署者公有金鑰匯入至 keyring。
```
$ gpg --import signer-public-key.txt
gpg: key 4094ABB1BEDFDAB4: public key "AWS SAM CLI Team " imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: no ultimately trusted keys found
```
請記下輸出的索引鍵值。例如 *`4094ABB1BEDFDAB4`*。
1. 使用金鑰值來取得和驗證簽署者公有金鑰指紋。
```
$ gpg --fingerprint 4094ABB1BEDFDAB4
pub rsa4096 2025-05-19 [SCEA] [expires: 2027-05-19]
EF46 3E86 CA31 933B B688 CC1A 4094 ABB1 BEDF DAB4
uid [ unknown] AWS SAM CLI Team
```
指紋應符合下列項目:
```
EF46 3E86 CA31 933B B688 CC1A 4094 ABB1 BEDF DAB4
```
如果指紋字串不相符,請勿使用 AWS SAM CLI安裝程式。在 *aws-sam-cli GitHub 儲存庫*中[建立問題](https://github.com/aws/aws-sam-cli/issues/new?assignees=&labels=stage%2Fneeds-triage&projects=&template=Bug_report.md&title=Bug%3A+TITLE),向 AWS SAM 團隊呈報。
1. 驗證簽署者公有金鑰的簽章:
```
$ gpg --check-sigs 4094ABB1BEDFDAB4
pub rsa4096 2025-05-19 [SCEA] [expires: 2027-05-19]
EF463E86CA31933BB688CC1A4094ABB1BEDFDAB4
uid [ unknown] AWS SAM CLI Team
sig!3 4094ABB1BEDFDAB4 2025-05-19 [self-signature]
sig! 42FD5F7A73AD885A 2025-05-19 AWS SAM CLI Primary
```
如果您看到 `1 signature not checked due to a missing key`,請重複上述步驟,將主要和簽署者公有金鑰匯入至 keyring。
您應該會看到列出的主要公有金鑰和簽署者公有金鑰的金鑰值。
現在您已驗證簽署者公有金鑰的完整性,您可以使用簽署者公有金鑰來驗證 AWS SAM CLI套件安裝程式。
**驗證套件安裝程式的 AWS SAM CLI完整性**
1. **取得 AWS SAM CLI套件簽章檔案** – 使用下列命令下載套件安裝程式的 AWS SAM CLI簽章檔案:
```
$ wget https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-x86_64.zip.sig
```
1. **驗證簽章檔案** – 將下載的 `.sig`和 `.zip` 檔案做為參數傳遞至 `gpg`命令。以下是範例:
```
$ gpg --verify aws-sam-cli-linux-x86_64.zip.sig aws-sam-cli-linux-x86_64.zip
```
輸出格式應類似以下內容:
```
gpg: Signature made Mon 19 May 2025 01:21:57 AM UTC using RSA key ID 4094ABB1BEDFDAB4
gpg: Good signature from "AWS SAM CLI Team "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF46 3E86 CA31 933B B688 CC1A 4094 ABB1 BEDF DAB4
```
+ 您可以忽略`WARNING: This key is not certified with a trusted signature!`訊息。這是因為您的個人 PGP 金鑰 (如果有的話) 與 AWS SAM CLI PGP 金鑰之間沒有信任鏈。如需詳細資訊,請參閱[信任 Web](https://en.wikipedia.org/wiki/Web_of_trust)。
+ 如果輸出包含片語 `BAD signature`,請檢查您是否正確執行程序。如果您繼續取得此回應,請在 *aws-sam-cli GitHub 儲存庫*中[建立問題](https://github.com/aws/aws-sam-cli/issues/new?assignees=&labels=stage%2Fneeds-triage&projects=&template=Bug_report.md&title=Bug%3A+TITLE),並避免使用下載的檔案,以向 AWS SAM 團隊呈報。
`Good signature from "AWS SAM CLI Team "` 訊息表示簽章已經過驗證,您可以繼續進行安裝。
### macOS
#### GUI 和命令列安裝程式
您可以使用 `pkgutil`工具或手動驗證套件安裝程式簽章檔案的 AWS SAM CLI完整性。
**使用 pkgutil 驗證**
1. 執行下列命令,提供本機電腦上下載安裝程式的路徑:
```
$ pkgutil --check-signature /path/to/aws-sam-cli-installer.pkg
```
以下是範例:
```
$ pkgutil --check-signature /Users/user/Downloads/aws-sam-cli-macos-arm64.pkg
```
1. 從輸出中,找到適用於 **SHA256 fingerprint**的 **Developer ID Installer: AMZN Mobile LLC**。以下是範例:
```
Package "aws-sam-cli-macos-arm64.pkg":
Status: signed by a developer certificate issued by Apple for distribution
Notarization: trusted by the Apple notary service
Signed with a trusted timestamp on: 2026-01-28 07:39:16 +0000
Certificate Chain:
1. Developer ID Installer: AMZN Mobile LLC (94KV3E626L)
Expires: 2030-09-26 00:18:06 +0000
SHA256 Fingerprint:
5C 45 BE 63 FD 52 10 07 2D 66 56 77 5C A9 FF 25 91 6D 3F 01 F7 0E
9A 8A 05 F6 2D 62 B2 88 8D A9
------------------------------------------------------------------------
2. Developer ID Certification Authority
Expires: 2031-09-17 00:00:00 +0000
SHA256 Fingerprint:
F1 6C D3 C5 4C 7F 83 CE A4 BF 1A 3E 6A 08 19 C8 AA A8 E4 A1 52 8F
D1 44 71 5F 35 06 43 D2 DF 3A
------------------------------------------------------------------------
3. Apple Root CA
Expires: 2035-02-09 21:40:36 +0000
SHA256 Fingerprint:
B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
68 C5 BE 91 B5 A1 10 01 F0 24
```
1. **Developer ID Installer: AMZN Mobile LLC SHA256 fingerprint** 應該符合下列值:
```
5C 45 BE 63 FD 52 10 07 2D 66 56 77 5C A9 FF 25 91 6D 3F 01 F7 0E 9A 8A 05 F6 2D 62 B2 88 8D A9
```
如果指紋字串不相符,請勿使用 AWS SAM CLI安裝程式。在 *aws-sam-cli GitHub 儲存庫*中[建立問題](https://github.com/aws/aws-sam-cli/issues/new?assignees=&labels=stage%2Fneeds-triage&projects=&template=Bug_report.md&title=Bug%3A+TITLE),向 AWS SAM 團隊呈報。如果指紋字串確實相符,您可以使用套件安裝程式繼續使用 。
**手動驗證套件安裝程式**
+ 請參閱 [Apple 支援網站上的如何驗證手動下載 Apple 軟體更新的真實性](https://support.apple.com/en-us/HT202369)。 **
### Windows
AWS SAM CLI 安裝程式會封裝為Windows作業系統MSI的檔案。
**驗證安裝程式的完整性**
1. 在安裝程式上按一下滑鼠右鍵,然後開啟**屬性**視窗。
1. 選擇 **數位簽章** 索引標籤。
1. 從**簽章清單中**,選擇 **Amazon Web Services, Inc.**,然後選擇**詳細資訊**。
1. 選擇 **General (一般)** 索引標籤 (如果尚未選取),然後選擇 **View Certificate (檢視憑證)**。
1. 選擇**詳細資訊**索引標籤,如果尚未選取,請在**顯示**下拉式清單中選擇**全部**。
1. 向下捲動到看見 **Thumbprint (指紋)** 欄位為止,然後選擇 **Thumbprint (指紋)**。這會在下方的視窗中顯示整個指紋值。
1. 將指紋值與下列值相符。如果值相符,請繼續進行安裝。如果沒有,請在 *aws-sam-cli GitHub 儲存庫*中[建立問題](https://github.com/aws/aws-sam-cli/issues/new?assignees=&labels=stage%2Fneeds-triage&projects=&template=Bug_report.md&title=Bug%3A+TITLE),向 AWS SAM 團隊呈報。
```
cd62479397f09d72a04c7399a254b0a91da53d6c
```
## 驗證雜湊值
### Linux
#### x86\$164 - 命令列安裝程式
使用以下命令產生雜湊值,驗證下載的安裝程式檔案的完整性和真實性:
```
$ sha256sum aws-sam-cli-linux-x86_64.zip
```
輸出應如下所示:
```
<64-character SHA256 hash value> aws-sam-cli-linux-x86_64.zip
```
在 的[AWS SAM CLI版本備註](https://github.com/aws/aws-sam-cli/releases/latest)中,將 64 個字元的 SHA-256 雜湊值與所需 AWS SAM CLI版本的雜湊值進行比較GitHub。
### macOS
#### GUI 和命令列安裝程式
使用以下命令產生雜湊值,驗證下載安裝程式的完整性和真實性:
```
$ shasum -a 256 path-to-pkg-installer/name-of-pkg-installer
# Examples
$ shasum -a 256 ~/Downloads/aws-sam-cli-macos-arm64.pkg
$ shasum -a 256 ~/Downloads/aws-sam-cli-macos-x86_64.pkg
```
將 64 個字元的 SHA-256 雜湊值與[AWS SAM CLI版本備註](https://github.com/aws/aws-sam-cli/releases/latest)GitHub儲存庫中的對應值進行比較。