Sign codedeploy-agent package

[AMHesch]

In order to install CodeDeploy Agent on Amazon Linux 2 / CentOS / RHEL servers that are configured for the CIS Level 3 Benchmark (High), all packages must be digitally signed by a CA that is recognized by the Operating System. This maps to RHEL STIG Vulnerability V-71979 and Amazon Linux 2 STIG Benchmark 1.2.4.

Current Value

[ec2-user@ip-172-31-xxx-xxx ~]$ rpm -qi codedeploy-agent
Name        : codedeploy-agent
Version     : 1.1.2
Release     : 1855
Architecture: noarch
Group       : Applications/System
Size        : 25823745
License     : Amazon.com Internal
Signature   : (none)
Source RPM  : codedeploy-agent-1.1.2-1855.src.rpm
Build Date  : Sat Jul 18 00:01:17 2020
Build Host  : sds-tod-workers-corp-pdx1-60009.pdx1.corp.amazon.com
Relocations : (not relocatable)
Vendor      : Amazon.com
Summary     : Provides the required files for CodeDeploy agent to run in EC2 instances
Description :
CodeDeploy instance agent is responsible for doing the actual work of deploying software
on an EC2 instance.

Expected Value (based on SSM Agent)

[ec2-user@ip-172-31-xxx-xxx ~]$ rpm -qi codedeploy-agent
Name        : codedeploy-agent
Version     : 1.1.2
Release     : 1855
Architecture: noarch
Group       : Amazon/Tools
License     : ASL 2.0
Signature   : RSA/SHA256, Tue Aug  4 14:58:37 2020, Key ID 11cf1f95c87f5b1a
Source RPM  : codedeploy-agent-1.1.2-1855.src.rpm
Build Date  : Sat Jul 18 00:01:17 2020
Build Host  : build.amazon.com
Relocations : (not relocatable)
Vendor      : Amazon.com
Summary     : Provides the required files for CodeDeploy agent to run in EC2 instances
Description :
CodeDeploy instance agent is responsible for doing the actual work of deploying software
on an EC2 instance.

[jwechsler10]

Is there any plans on fixing this, since this breaks the installer listed here: https://docs.aws.amazon.com/codedeploy/latest/userguide/codedeploy-agent-operations-install-linux.html if run on Amazon Linux.

[csmcallister]

I am also interested in seeing this addressed, as it is similar to this issue with SSM.

My current workaround was to edit the install script so that --nogpgcheck is passed to the yum invocation. This allows the agent to be installed and then run, as verified with sudo service codedeploy-agent status.

[durayakar]

This was reported back in 2016 and still not fixed? Since there were no cyber attacks using this vulnerability in 6 years, this code signing must really be a hoax and useless practice anyways. Maybe we should open a case with the STIG board to revisit the code signing restrictions.

[philstrong]

If we provided similar to https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/verify-CloudWatch-Agent-Package-Signature.html does this meet the ask?

[csmcallister]

If we provided similar to https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/verify-CloudWatch-Agent-Package-Signature.html does this meet the ask?

Yes. Sign the RPM and make the public key available in s3 for verification.

[oleksandr-mykytenko-sn]

Hello, any updates on this issue? It is still valid in Feb, 2024