Documentation forAppOptics

Signing plugins

Overview

Private/public key pairs and keyrings are generated by GPG toolset. The plugin is signed with the private key and the public key needs to be added to the user's keyring. The signing is an armored detached signature in the form of a .asc file.

Default SWISnap installation comes with all binaries singed and also public keyring to verify binaries. If you don't use custom plugins, there is no need to generate additional GPG signatures.

Signing plugins with GnuPG

Those instructions are for Linux systems, although might be run on Windows as well.

  1. Install GnuPG (https://gnupg.org/download/index.html)
  2. %echo Generating a default key
    Key-Type: RSA
    Key-Length: 4096
    Subkey-Type: RSA
    Subkey-Length: 4096
    Name-Real: John Doe
    Name-Comment: Plugin signing key
    Name-Email: john.doe@solarwinds.com
    Expire-Date: 0
    Passphrase: swisnap
    %pubring swisnap.pubring
    %secring swisnap.secring
    %commit
    %echo done
  3. Generate the key using batch mode

    gpg --batch --gen-key gpg-batch
  4. List keys

    gpg --no-default-keyring --secret-keyring ./swisnap.secring --keyring ./swisnap.pubring --list-keys

    In the following output:

    pub  rsa4096 2020-05-19 [SCEA]
      7D06EC3B1E270B98508D198375D15475C940CB4F
    uid  [ unknown] John Doe (Plugin signing key) <john.doe@solarwinds.com>
    sub  rsa4096 2020-05-19 [SEA]

    copy 7D06EC3B1E270B98508D198375D15475C940CB4F

  5. Make the key ultimately trusted (use remembered key). Answer with: 5, y and enter quit

    gpg --no-default-keyring --secret-keyring ./swisnap.secring --keyring ./swisnap.pubring --edit-key 789522F00692E4789E8908090242D094292BE4A2 trust

     

    ...
    Your decision? `5`
    Do you really want to set this key to ultimate trust? (y/N) `y`
    
    sec rsa4096/0242D094292BE4A2
        created: 2020-05-19 expires: never    usage: SCEA
        trust: ultimate   validity: unknown
    ssb rsa4096/1C4003110C70206F
        created: 2020-05-19 expires: never    usage: SEA
    [ unknown] (1). John Doe (Plugin signing key) <john.doe@solarwinds.com>
    Please note that the shown key validity is not necessarily correct
    unless you restart the program.
    
    gpg> `quit`
  6. Export public key from keyring

    gpg --no-default-keyring --armor --secret-keyring ./swisnap.secring --keyring ./swisnap.pubring --export john.doe@solarwinds.com > pubkeys.gpg
  7. Sign binary (ie. snap-plugin-collector-example) providing passphrase (from gpg-batch: swisnap)

    gpg --no-default-keyring --armor --secret-keyring ./swisnap.secring --keyring ./swisnap.pubring --output snap-plugin-collector-example.asc --detach-sig snap-plugin-collector-example
  8. (optional) Verify signature using keyring

    gpg --no-default-keyring --secret-keyring ./swisnap.secring --keyring ./swisnap.pubring --verify snap-plugin-collector-example.asc snap-plugin-collector-example

Manual adding signed plugins to snap

  1. Copy the ".asc" and binary files into SWIsnap bin folder and append "pubkeys.gpg" file into keyring_paths entry:

    On Linux:

    control:
    plugin_trust_level: 1
    keyring_paths: "/opt/SolarWinds/Snap/bin/.gnupg/swisnap.gpg:/home/MyUser/pubkeys.gpg"

    On Windows:

    control:
    plugin_trust_level: 1
    keyring_paths: "C:/Program Files/SolarWinds/Snap/.gnupg/swisnap.gpg;C:/Users/MyUser/pubkeys.gpg"
  2. Restart swisnapd
  3. Verify with swisnap plugin list that your plugin is signed and running.

Navigation Notice: When the APM Integrated Experience is enabled, AppOptics shares a common navigation and enhanced feature set with other integrated experience products. How you navigate AppOptics and access its features may vary from these instructions.

The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.