This PR adds a new SSM Agent key to avoid breaking customers who are using the old installation script.
Note that, this repo has been deprecated, since all changes have been migrated and maintained to/in amazon-ecs-agent Github repo.
$ curl --proto "https" -o "amazon-ssm-agent.gpg" "https://raw.githubusercontent.com/chienhanlin/amazon-ecs-init/updateSSMGpG/scripts/amazon-ssm-agent.gpg"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5184 100 5184 0 0 158k 0 --:--:-- --:--:-- --:--:-- 163k
$ gpg --import amazon-ssm-agent.gpg
gpg: /home/ec2-user/.gnupg/trustdb.gpg: trustdb created
gpg: key 693ECA21: public key "SSM Agent <ssm-agent-signer@amazon.com>" imported
gpg: key 56BAA549: public key "SSM Agent <ssm-agent-signer@amazon.com>" imported
gpg: key 97DD04ED: public key "SSM Agent <ssm-agent-signer@amazon.com>" imported
gpg: Total number processed: 3
gpg: imported: 3 (RSA: 3)
Part 2
Launch an EC2 instance with AMI name: amzn2-ami-hvm-2.0.20230822.0-arm64-gp2
Download ECS Anywhere installation script from the S3 bucket, and modify it to use the updated gpg file
Trying to verify the signature of amazon-ecs-init package ...
/bin/gpg
gpg: directory /root/.gnupg' created gpg: new configuration file/root/.gnupg/gpg.conf' created
gpg: WARNING: options in /root/.gnupg/gpg.conf' are not yet active during this run gpg: keyring/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 2D51784F: public key "Amazon ECS ecs-security@amazon.com" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: no ultimately trusted keys found
gpg: Signature made Thu 10 Aug 2023 06:45:59 PM UTC using RSA key ID 710E61AF
gpg: Good signature from "Amazon ECS ecs-security@amazon.com"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F34C 3DDA E729 26B0 79BE AEC6 BCE9 D9A4 2D51 784F
Subkey fingerprint: D64B B6F9 0CF3 77E9 B5FB 346F 50DE CCC4 710E 61AF
amazon-ecs-init GPG verification passed. Install amazon-ecs-init.
ok
##########################
4. The EC2 instance successfully registers to ECS
New tests cover the changes: no
### Description for the changelog
Update SSM GPG key for anywhere installation.
### Licensing
<!--
Please confirm that this contribution is under the terms of the Apache 2.0
License.
-->
This contribution is under the terms of the Apache 2.0 License: <!-- yes -->
Summary
This PR adds a new SSM Agent key to avoid breaking customers who are using the old installation script. Note that, this repo has been deprecated, since all changes have been migrated and maintained to/in amazon-ecs-agent Github repo.
Find more details in
Implementation details
See https://github.com/aws/amazon-ecs-agent/pull/3875
Testing
Manually testing was performed. Part 1
Part 2
##########################
Trying to verify the signature of amazon-ecs-init package ...
/bin/gpg gpg: directory
/root/.gnupg' created gpg: new configuration file
/root/.gnupg/gpg.conf' created gpg: WARNING: options in/root/.gnupg/gpg.conf' are not yet active during this run gpg: keyring
/root/.gnupg/secring.gpg' created gpg: keyring `/root/.gnupg/pubring.gpg' created gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 2D51784F: public key "Amazon ECS ecs-security@amazon.com" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: no ultimately trusted keys found gpg: Signature made Thu 10 Aug 2023 06:45:59 PM UTC using RSA key ID 710E61AF gpg: Good signature from "Amazon ECS ecs-security@amazon.com" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: F34C 3DDA E729 26B0 79BE AEC6 BCE9 D9A4 2D51 784F Subkey fingerprint: D64B B6F9 0CF3 77E9 B5FB 346F 50DE CCC4 710E 61AF amazon-ecs-init GPG verification passed. Install amazon-ecs-init.ok
##########################