AWS Security ChangesHomeSearch

AWS deadline-cloud medium security documentation change

Service: deadline-cloud · 2025-04-23 · Security-related medium

File: deadline-cloud/latest/userguide/security-best-practices.md

Summary

Added detailed procedures for verifying authenticity of downloaded software using GPG signatures and Windows signtool

Security assessment

The change introduces explicit steps to verify software integrity through cryptographic signatures, directly addressing potential supply chain attacks and tampering risks. This constitutes concrete security hardening guidance rather than general best practices.

Diff

diff --git a/deadline-cloud/latest/userguide/security-best-practices.md b/deadline-cloud/latest/userguide/security-best-practices.md
index 1ae9f602f..2cd410dfe 100644
--- a//deadline-cloud/latest/userguide/security-best-practices.md
+++ b//deadline-cloud/latest/userguide/security-best-practices.md
@@ -5 +5 @@
-Data protectionIAM permissionsRun jobs as users and groupsNetworkingJob dataFarm structureJob attachment queuesCustom software bucketsWorker hostsWorkstations
+Data protectionIAM permissionsRun jobs as users and groupsNetworkingJob dataFarm structureJob attachment queuesCustom software bucketsWorker hostsWorkstationsVerify downloaded software
@@ -266,0 +267,218 @@ We recommend the following best practice to secure artist workstations. For more
+## Verify the authenticity of downloaded software
+
+Verify your software's authenticity after downloading the installer to protect against file tampering. This procedure works for both Windows and Linux systems.
+
+Windows
+    
+
+To verify the authenticity of your downloaded files, complete the following steps.
+
+  1. In the following command, replace ``file`` with the file that you want to verify. For example, ` `C:\PATH\TO\MY\`DeadlineCloudSubmitter-windows-x64-installer.exe `. Also, replace ``signtool-sdk-version`` with the version of the SignTool SDK installed. For example, `10.0.22000.0`.
+
+`"C:\Program Files (x86)\Windows Kits\10\bin\`signtool-sdk-version`\x86\signtool.exe" verify /v`file``
+
+  2. For example, you can verify the Deadline Cloud submitter installer file by running the following command:
+
+`"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\signtool.exe" verify /v DeadlineCloudSubmitter-windows-x64-installer.exe`
+
+
+
+
+Linux
+    
+
+To verify the authenticity of your downloaded files, use the `gpg` command line tool.
+
+  1. Import the `OpenPGP` key by running the following command:
+    
+         gpg --import --armor <<EOF
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+    
+    mQINBGX6GQsBEADduUtJgqSXI+q76O6fsFwEYKmbnlyL0xKvlq32EZuyv0otZo5L
+    le4m5Gg52AzrvPvDiUTLooAlvYeozaYyirIGsK08Ydz0Ftdjroiuh/mw9JSJDJRI
+    rnRn5yKet1JFezkjopA3pjsTBP6lW/mb1bDBDEwwwtH0x9lV7A03FJ9T7Uzu/qSh
+    qO/UYdkafro3cPASvkqgDt2tCvURfBcUCAjZVFcLZcVD5iwXacxvKsxxS/e7kuVV
+    I1+VGT8Hj8XzWYhjCZxOLZk/fvpYPMyEEujN0fYUp6RtMIXve0C9awwMCy5nBG2J
+    eE2Ol5DsCpTaBd4Fdr3LWcSs8JFA/YfP9auL3NczOozPoVJt+fw8CBlVIXO0J7l5
+    hvHDjcC+5v0wxqAlMG6+f/SX7CT8FXK+L3iOJ5gBYUNXqHSxUdv8kt76/KVmQa1B
+    Akl+MPKpMq+lhw++S3G/lXqwWaDNQbRRw7dSZHymQVXvPp1nsqc3hV7KlOM+6s6g
+    1g4mvFY4lf6DhptwZLWyQXU8rBQpojvQfiSmDFrFPWFi5BexesuVnkGIolQoklKx
+    AVUSdJPVEJCteyy7td4FPhBaSqT5vW3+ANbr9b/uoRYWJvn17dN0cc9HuRh/Ai+I
+    nkfECo2WUDLZ0fEKGjGyFX+todWvJXjvc5kmE9Ty5vJp+M9Vvb8jd6t+mwARAQAB
+    tCxBV1MgRGVhZGxpbmUgQ2xvdWQgPGF3cy1kZWFkbGluZUBhbWF6b24uY29tPokC
+    VwQTAQgAQRYhBLhAwIwpqQeWoHH6pfbNPOa3bzzvBQJl+hkLAxsvBAUJA8JnAAUL
+    CQgHAgIiAgYVCgkICwIDFgIBAh4HAheAAAoJEPbNPOa3bzzvKswQAJXzKSAY8sY8
+    F6Eas2oYwIDDdDurs8FiEnFghjUEO6MTt9AykF/jw+CQg2UzFtEyObHBymhgmhXE
+    3buVeom96tgM3ZDfZu+sxi5pGX6oAQnZ6riztN+VpkpQmLgwtMGpSMLl3KLwnv2k
+    WK8mrR/fPMkfdaewB7A6RIUYiW33GAL4KfMIs8/vIwIJw99NxHpZQVoU6dFpuDtE
+    1OuxGcCqGJ7mAmo6H/YawSNp2Ns80gyqIKYo7o3LJ+WRroIRlQyctq8gnR9JvYXX
+    42ASqLq5+OXKo4qh81blXKYqtc176BbbSNFjWnzIQgKDgNiHFZCdcOVgqDhwO15r
+    NICbqqwwNLj/Fr2kecYx180Ktpl0jOOw5IOyh3bf3MVGWnYRdjvA1v+/CO+55N4g
+    z0kf50Lcdu5RtqV10XBCifn28pecqPaSdYcssYSRl5DLiFktGbNzTGcZZwITTKQc
+    af8PPdTGtnnb6P+cdbW3bt9MVtN5/dgSHLThnS8MPEuNCtkTnpXshuVuBGgwBMdb
+    qUC+HjqvhZzbwns8dr5WI+6HWNBFgGANn6ageYl58vVp0UkuNP8wcWjRARciHXZx
+    ku6W2jPTHDWGNrBQO2Fx7fd2QYJheIPPAShHcfJO+xgWCof45D0vAxAJ8gGg9Eq+
+    gFWhsx4NSHn2gh1gDZ41Ou/4exJ1lwPM
+    =uVaX
+    -----END PGP PUBLIC KEY BLOCK-----
+    EOF
+
+  2. Determine whether to trust the `OpenPGP` key. Some factors to consider when deciding whether to trust the above key include the following:
+
+     * The internet connection you’ve used to obtain the GPG key from this website is secure.
+
+     * The device that you are accessing this website on is secure.
+
+     * AWS has taken measures to secure the hosting of the `OpenPGP` public key on this website.
+
+  3. If you decide to trust the OpenPGP key, edit the key to trust with `gpg` similar to the following example:
+    
+        $ gpg --edit-key 0xB840C08C29A90796A071FAA5F6CD3CE6B76F3CEF
+    
+        gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
+        This is free software: you are free to change and redistribute it.
+        There is NO WARRANTY, to the extent permitted by law.
+    
+    
+        pub  4096R/4BF0B8D2  created: 2023-06-23  expires: 2025-06-22  usage: SCEA
+                             trust: unknown       validity: unknown
+        [ unknown] (1). AWS Deadline Cloud [email protected]
+    
+        gpg> trust
+        pub  4096R/4BF0B8D2  created: 2023-06-23  expires: 2025-06-22  usage: SCEA
+                             trust: unknown       validity: unknown
+        [ unknown] (1). AWS Deadline Cloud [email protected]
+    
+        Please decide how far you trust this user to correctly verify other users' keys
+        (by looking at passports, checking fingerprints from different sources, etc.)
+    
+          1 = I don't know or won't say
+          2 = I do NOT trust
+          3 = I trust marginally
+          4 = I trust fully
+          5 = I trust ultimately
+          m = back to the main menu
+    
+        Your decision? 5
+        Do you really want to set this key to ultimate trust? (y/N) y
+    
+        pub  4096R/4BF0B8D2  created: 2023-06-23  expires: 2025-06-22  usage: SCEA
+                             trust: ultimate      validity: unknown
+        [ unknown] (1). AWS Deadline Cloud [email protected]
+        Please note that the shown key validity is not necessarily correct
+        unless you restart the program.
+    
+        gpg> quit
+
+  4. ###### Verify the Deadline Cloud submitter installer
+
+To verify the Deadline Cloud submitter installer, complete the following steps:
+
+    1. Return to the Deadline Cloud [console](https://console.aws.amazon.com/deadlinecloud/home) **Downloads** page and download the signature file for the Deadline Cloud submitter installer.
+
+    2. Verify the signature of the Deadline Cloud submitter installer by running:
+        
+                gpg --verify ./DeadlineCloudSubmitter-linux-x64-installer.run.sig ./DeadlineCloudSubmitter-linux-x64-installer.run
+
+  5. ###### Verify the Deadline Cloud monitor
+
+###### Note
+
+You can verify the Deadline Cloud monitor download using signature files or platform specific methods. For platform specific methods, see the Linux (Debian) tab, the Linux (RPM) tab, or the Linux (AppImage) tab based on your downloaded file type. 
+
+To verify the Deadline Cloud monitor desktop application with signature files, complete the following steps:
+
+    1. Return to the Deadline Cloud [console](https://console.aws.amazon.com/deadlinecloud/home) **Downloads** page and download the corresponding .sig file, and then run
+
+**For .deb:**
+        
+                gpg --verify ./deadline-cloud-monitor_<APP_VERSION>_amd64.deb.sig ./deadline-cloud-monitor_<APP_VERSION>_amd64.deb
+
+**For .rpm:**
+        
+                gpg --verify ./deadline-cloud-monitor_<APP_VERSION>_x86_64.deb.sig ./deadline-cloud-monitor_<APP_VERSION>_x86_64.rpm
+
+**For .AppImage:**
+        
+                gpg --verify ./deadline-cloud-monitor_<APP_VERSION>_amd64.AppImage.sig ./deadline-cloud-monitor_<APP_VERSION>_amd64.AppImage
+
+    2. Confirm that the output looks similar to the following:
+
+`gpg: Signature made Mon Apr 1 21:10:14 2024 UTC`
+
+`gpg: using RSA key B840C08C29A90796A071FAA5F6CD3CE6B7`
+
+If the output contains the phrase `Good signature from "AWS Deadline Cloud"`, it means that the signature has successfully been verified and you can run the Deadline Cloud monitor installation script.
+
+
+
+
+Linux (AppImage)
+    
+
+To verify packages that use a Linux .AppImage binary, first complete steps 1-3 in the Linux tab, then complete the following steps.
+
+  1. From the AppImageUpdate [page](https://github.com/AppImageCommunity/AppImageUpdate/releases/tag/continuous) in GitHub, download the **validate-x86_64.AppImage** file.
+
+  2. After downloading the file, to add execute permissions, run the following command.
+    
+        chmod a+x ./validate-x86_64.AppImage
+
+  3. To add execute permissions, run the following command.
+    
+        chmod a+x ./deadline-cloud-monitor_<APP_VERSION>_amd64.AppImage
+
+  4. To verify the Deadline Cloud monitor signature, run the following command.
+    
+        ./validate-x86_64.AppImage ./deadline-cloud-monitor_<APP_VERSION>_amd64.AppImage
+
+If the output contains the phrase `Validation successful`, it means that the signature has successfully been verified and you can safely run the Deadline Cloud monitor installation script.
+
+
+
+
+Linux (Debian)
+    
+
+To verify packages that use a Linux .deb binary, first complete steps 1-3 in the Linux tab.
+
+**dpkg** is the core package management tool in most debian based Linux distributions. You can verify the .deb file with the tool.
+
+  1. From the Deadline Cloud [console](https://console.aws.amazon.com/deadlinecloud/home) **Downloads** page, download the Deadline Cloud monitor .deb file.
+
+  2. Replace `<APP_VERSION>` with the version of the .deb file you want to verify.
+    
+        dpkg-sig --verify deadline-cloud-monitor_<APP_VERSION>_amd64.deb
+
+  3. The output will be similar to:
+    
+        ProcessingLinux deadline-cloud-monitor_<APP_VERSION>_amd64.deb...
+    GOODSIG _gpgbuilder B840C08C29A90796A071FAA5F6CD3C 171200
+
+  4. To verify the .deb file, confirm that `GOODSIG` is present in the output.