Private/public key pairs and keyrings are generated by GPG toolset. The plugin is signed with the private key and the public key needs to be added to the user's keyring. The signing is an armored detached signature in the form of a .asc file.
Default SWISnap installation comes with all binaries singed and also public keyring to verify binaries. If you don't use custom plugins, there is no need to generate additional GPG signatures.
Signing plugins with GnuPG
Those instructions are for Linux systems, although might be run on Windows as well.
- Install GnuPG (https://gnupg.org/download/index.html)
%echo Generating a default key Key-Type: RSA Key-Length: 4096 Subkey-Type: RSA Subkey-Length: 4096 Name-Real: John Doe Name-Comment: Plugin signing key Name-Email: email@example.com Expire-Date: 0 Passphrase: swisnap %pubring swisnap.pubring %secring swisnap.secring %commit %echo done
Generate the key using batch mode
gpg --batch --gen-key gpg-batch
gpg --no-default-keyring --secret-keyring ./swisnap.secring --keyring ./swisnap.pubring --list-keys
In the following output:
pub rsa4096 2020-05-19 [SCEA] 7D06EC3B1E270B98508D198375D15475C940CB4F uid [ unknown] John Doe (Plugin signing key) <firstname.lastname@example.org> sub rsa4096 2020-05-19 [SEA]
Make the key ultimately trusted (use remembered key). Answer with: 5, y and enter quit
gpg --no-default-keyring --secret-keyring ./swisnap.secring --keyring ./swisnap.pubring --edit-key 789522F00692E4789E8908090242D094292BE4A2 trust
... Your decision? `5` Do you really want to set this key to ultimate trust? (y/N) `y` sec rsa4096/0242D094292BE4A2 created: 2020-05-19 expires: never usage: SCEA trust: ultimate validity: unknown ssb rsa4096/1C4003110C70206F created: 2020-05-19 expires: never usage: SEA [ unknown] (1). John Doe (Plugin signing key) <email@example.com> Please note that the shown key validity is not necessarily correct unless you restart the program. gpg> `quit`
Export public key from keyring
gpg --no-default-keyring --armor --secret-keyring ./swisnap.secring --keyring ./swisnap.pubring --export firstname.lastname@example.org > pubkeys.gpg
Sign binary (ie. snap-plugin-collector-example) providing passphrase (from gpg-batch: swisnap)
gpg --no-default-keyring --armor --secret-keyring ./swisnap.secring --keyring ./swisnap.pubring --output snap-plugin-collector-example.asc --detach-sig snap-plugin-collector-example
(optional) Verify signature using keyring
gpg --no-default-keyring --secret-keyring ./swisnap.secring --keyring ./swisnap.pubring --verify snap-plugin-collector-example.asc snap-plugin-collector-example
Manual adding signed plugins to snap
Copy the ".asc" and binary files into SWIsnap bin folder and append "pubkeys.gpg" file into
control: plugin_trust_level: 1 keyring_paths: "/opt/SolarWinds/Snap/bin/.gnupg/swisnap.gpg:/home/MyUser/pubkeys.gpg"
control: plugin_trust_level: 1 keyring_paths: "C:/Program Files/SolarWinds/Snap/.gnupg/swisnap.gpg;C:/Users/MyUser/pubkeys.gpg"
- Restart swisnapd
- Verify with
swisnap plugin listthat your plugin is signed and running.
Navigation Notice: When the APM Integrated Experience is enabled, AppOptics shares a common navigation and enhanced feature set with other integrated experience products. How you navigate AppOptics and access its features may vary from these instructions.
The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.