@@ -332,6 +332,232 @@ license is available at: http://aws.amazon.com/apache2.0/
332332Verifying the Signature
333333-----------------------
334334
335- .. include :: signing.rst
335+ This section describes the recommended process of verifying the validity of the
336+ AWS Data Science Workflows Python SDK's compiled distributions on
337+ `PyPI <https://pypi.org/project/stepfunctions/ >`__.
338+
339+ Whenever you download an application from the internet, we recommend that you
340+ authenticate the identity of the software publisher and check that the
341+ application is not altered or corrupted since it was published. This protects
342+ you from installing a version of the application that contains a virus or other
343+ malicious code.
344+
345+ If after running the steps in this topic, you determine that the distribution
346+ for the AWS Data Science Workflows Python SDK is altered or corrupted, do NOT
347+ install the package. Instead, contact AWS Support (https://aws.amazon.com/contact-us/).
348+
349+ AWS Data Science Workflows Python SDK distributions on PyPI are signed using
350+ GnuPG, an open source implementation of the Pretty Good Privacy (OpenPGP)
351+ standard for secure digital signatures. GnuPG (also known as GPG) provides
352+ authentication and integrity checking through a digital signature. For more
353+ information about PGP and GnuPG (GPG), see http://www.gnupg.org.
354+
355+ The first step is to establish trust with the software publisher. Download the
356+ public key of the software publisher, check that the owner of the public key is
357+ who they claim to be, and then add the public key to your keyring. Your keyring
358+ is a collection of known public keys. After you establish the authenticity of
359+ the public key, you can use it to verify the signature of the application.
360+
361+ Topics
362+ ~~~~~~
363+
364+ 1. `Installing the GPG Tools <#installing-the-gpg-tools >`__
365+ 2. `Authenticating and Importing the Public Key <#authenticating-and-importing-the-public-key >`__
366+ 3. `Verify the Signature of the Package <#verify-the-signature-of-the-package >`__
367+
368+ Installing the GPG Tools
369+ ~~~~~~~~~~~~~~~~~~~~~~~~
370+
371+ If your operating system is Linux or Unix, the GPG tools are likely already
372+ installed. To test whether the tools are installed on your system, type
373+ **gpg ** at a command prompt. If the GPG tools are installed, you see a GPG
374+ command prompt. If the GPG tools are not installed, you see an error stating
375+ that the command cannot be found. You can install the GnuPG package from a
376+ repository.
377+
378+ **To install GPG tools on Debian-based Linux **
379+
380+ From a terminal, run the following command: **apt-get install gnupg **
381+
382+ **To install GPG tools on Red Hat–based Linux **
383+
384+ From a terminal, run the following command: **yum install gnupg **
385+
386+ Authenticating and Importing the Public Key
387+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
388+
389+ The next step in the process is to authenticate the AWS Data Science Workflows
390+ Python SDK public key and add it as a trusted key in your GPG keyring.
391+
392+ To authenticate and import the AWS Data Science Workflows Python SDK public key
393+
394+ 1. Copy the key from the following text and paste it into a file called
395+ `data_science_workflows.key `. Make sure to include everything that follows:
396+
397+ .. code-block :: text
398+
399+ -----BEGIN PGP PUBLIC KEY BLOCK-----
400+
401+ mQINBF27JXsBEAC18lOq7/SmynwuTJZdzoSaYzfPjt+3RN5oFLd9VY559sLb1aqV
402+ ph+RPu35YOR0GbR76NQZV6p2OicunvjmvvOKXzud8nsV3gjcSCdxn22YwVDdFdx9
403+ N0dMOzo126kFIkubWNsBZDxzGsgIsku82+OKJbdSZyGEs7eOQCqieVpubnAk/pc5
404+ J4sqYDFhL2ijCIwAW6YUx4WEMq1ysVVcoNIo5J3+f1NzJZBvI9xwf+R2AnX06EZb
405+ FFIcX6kx5B8Sz6s4AI0EVFt9YOjtD+y6aBs3e63wx9etahq5No26NffNEve+pw3o
406+ FTU7sq6HxX/cE+ssJALAwV/3/1OiluZ/icePgYvsl8UWkkULsnHEImW2vZOe9UCw
407+ 9CYb7lgqMCd9o14kQy0+SeTS3EdFH+ONRub4RMkdT7NV5wfzgD4WpSYban1YLJYx
408+ XLYRIopMzWuRLSUKMHzqsN48UlNwUVzvpPlcVIAotzQQbgFaeWlW1Fvv3awqaF7Q
409+ lnt0EBX5n71LJNDmpTRPtICnxcVsNXT1Uctk1mtzYwuMrxk0pDJZs06qPLwehwmO
410+ 4A4bQCZ/1aVnXaauzshP7kzgPWG6kqOcSbn3VA/yhfDX/NBeY3Xg1ECDlFxmCrrV
411+ D7xqpZgVaztHbRIOr6ANKLMf72ZmqxiYayrFlLLOkJYtNCaC8igO5Baf2wARAQAB
412+ tFBTdGVwZnVuY3Rpb25zLVB5dGhvbi1TREstU2lnbmluZyA8c3RlcGZ1bmN0aW9u
413+ cy1kZXZlbG9wZXItZXhwZXJpZW5jZUBhbWF6b24uY29tPokCVAQTAQgAPhYhBMwW
414+ BXe3v509bl1RxWDrEDrjFKgJBQJduyV7AhsDBQkUsSsABQsJCAcCBhUKCQgLAgQW
415+ AgMBAh4BAheAAAoJEGDrEDrjFKgJq5IP/25LVDaA3itCICBP2/eu8KkUJ437oZDr
416+ +3z59z7p4mvispmEzi4OOb1lMGBH+MdhkgblrcSaj4XcIslTkfKD4gP/cMSl14hb
417+ X/OIxEXFXvTq4PmWUCgl5NtsyAbgB3pAxGUfNAXR2dV3MJFAHSOVUK5Es4/kAj4a
418+ 5lra+1MwZZMDqhMTYuvTclIqPA/PXafkgL5g15JA5lFDyFQ2zuV1BgQlKh7o24Jw
419+ a1kDB0aSePkrh4gJHXAEoGDjX2mcGhEjlBvCH4ay7VGoG6l+rjcHnqSiVX0tg9dZ
420+ Ilc7RTR+1LX7jx8wdsYSUGekADy6wGTjk9HBTafh8Bl8sR2eNoH1qZuIn/YIHxkR
421+ JPH/74hG71pjS4FWPBbbPrdkC/G47mXMfLUrGpigcgkhePuA1BBW30U0ZZWWDHsf
422+ ISxp8hcQkR5gFhU+37tsC06pwihhDWgx4kTfeTmNqkl03fTH5lwNsig0HSpUINWR
423+ +EWN0jXb8DtjMzZbiDhLxQX9U3HBEdw2g2/Ktsqv+MM1P1choEGNtzots3V9fqMY
424+ Txy7MkYLtRDYu+sX5DNob309vPzbI4b3KBv6hCRJdnICjBvgL6C8WHaLm6+FU+68
425+ rFRKw6WImWHyygdnv8Bzdq4h+MaTE6AhteYutd+ZTWpazfE1h0ngrEerQju2VLZP
426+ LAACxHBQNjT+uQINBF27JXsBEAC/PDJmWIkJBdnOmPU/W0SosOZRMvzs/KR89qeI
427+ ebT8O0rNFeHR6Iql5ak6kGeDLwnzcOOwqamO+vwGmRScwPT6NF9+HDkXCzITOE22
428+ 71zKVjGVf+tX5kHJzT8ZqQBxvnk5Cx/d7sr3kwLBhhygHLS/kn2K9fhYwbtsQTLE
429+ o9XvTBOip+DohHHJjZHcboeYnZ2g2b8Gnwe4cz75ogFNcuHZXusr8Y6enJX8wTBy
430+ /AvXPVUIyrHbrXcHaNS3UYKzbhkH6W1cfkV6Bb49FKYkxH0N1ZeooyS6zXyf0X4n
431+ TAbyCfoFYQ68KC17/pGMOXtR/UlqDeJe0sFeyyTHKjdSTDpA+WKKJJZ5BSCYQ5Hq
432+ ewy6mvaIcKURExIZyNqRHRhb4p/0BA7eXzMCryx1AZPcQnaMVQYJTi5e+HSnOxnK
433+ AB7jm2HHPHCRgO4qvavr5dIlEoKBM6qya1KVqoarw5hv8J8+R9ECn4kWZ8QjBlgO
434+ y65q/b3mwqK0rVA1w73BPWea/xLCLrqqVRGa/fB7dhTnPfn+BpaQ3qruLinIJatM
435+ 8c2/p1LZ1nuWgrssSkSMn3TlffF0Lq9jtcbi7K11A082RiB2L0lu+j8r07RgVQvZ
436+ 4UliS1Lklsp7Ixh+zoR712hKPQpNVLstEHTxQhXZTWAk/Ih7b9ukrL/1HJAnhZBe
437+ uBhDDQARAQABiQI8BBgBCAAmFiEEzBYFd7e/nT1uXVHFYOsQOuMUqAkFAl27JXsC
438+ GwwFCRSxKwAACgkQYOsQOuMUqAnJvA//SDQZxf0zbge8o9kGfrm7bnExz8a6sxEn
439+ urooUaSk3isbGFAUg+Q7rQ+ViG9gDG74F5liwwcKoBct/Z9tCi/7p3QI0BE0bM1j
440+ IHdm5dXaZAcMlUy6f0p3DO3qE2IjnNjEjvpm7Xzt6tKJu/scZQNdQxG/CDn5+ezm
441+ nIatgDV6ugDDv/2o0BXMyAZT008T/QLR2U5dEsbt9H3Bzl4Ska6gjak2ToJL0T61
442+ 1dZjfv/1UbeYRPFCO6CsLj9uEq+RoHAsvAS4rl9HyM3b2sVzr8CMsP6LVdqlA2Qz
443+ /nIBd+GuLofi3/PGvvS63ubfqSRGd5VvJXoiRl2WoE8lmyIB5UJfFfd8Zdn6j+hQ
444+ c14VOp89mEfg57BiQXfZnzjFVNkl7T5I2g3X5O8StosncChqiJTSH5C731KUVqxO
445+ xYknFostioIVKmyis/Nwmwr6fIItYyYCwh5YCqAg0r4SLbhFEVXdannUbFPF6upO
446+ EbKlZP3Iyu/kYANMnq+9+GImrPrT/FCpM9RW1GFAnuVBt9Qjs+eRq4DQJl/EaIjZ
447+ cgqz+e5TZNxDK9r2sHC4zGWy88/2GuhD8xh4FH5hBIDJPmHUtKh9XElq187VA4Jg
448+ U0mbryduKMQIyuc6OLzfJUbVTMvKWaPASbGtvAAOwCFtAi33dZ8bOfjQLgOb9uDh
449+ /vQojRxttMc=
450+ =ovUh
451+ -----END PGP PUBLIC KEY BLOCK-----
452+
453+
454+
455+ `data_science_workflows.key `, use the following command to import the AWS Data
456+ Science Workflows Python SDK public key into your keyring:
457+
458+ .. code-block :: text
459+
460+ gpg --import data_science_workflows.key
461+
462+
463+
464+ .. code-block :: text
465+
466+ gpg: key 60EB103AE314A809: public key "Stepfunctions-Python-SDK-Signing <stepfunctions-developer-experience@amazon.com>" imported
467+ gpg: Total number processed: 1
468+ gpg: imported: 1
469+
470+
471+ example, the key value is 60EB103AE314A809.
472+
473+ 3. Verify the fingerprint by running the following command, replacing key-value
474+ with the value from the preceding step:
475+
476+ .. code-block :: text
477+
478+ gpg --fingerprint <key-value>
479+
480+
481+
482+ .. code-block :: text
483+
484+ pub rsa4096 2019-10-31 [SC] [expires: 2030-10-31] CC16 0577 B7BF 9D3D 6E5D
485+ 51C5 60EB 103A E314 A809 uid [ unknown]
486+ Stepfunctions-Python-SDK-Signing
487+ <stepfunctions-developer-experience@amazon.com> sub rsa4096 2019-10-31 [E]
488+ [expires: 2030-10-31]
489+
490+
491+ 9D3D 6E5D 51C5 60EB 103A E314 A809, as shown in the preceding example.
492+ Compare the key fingerprint that is returned to the one published on this
493+ page. They should match. If they don't match, don't install the AWS Data
494+ Science Workflows Python SDK package, and contact AWS Support.
495+
496+ Verify the Signature of the Package
497+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
498+
499+ After you install the GPG tools, authenticate and import the AWS Data Science
500+ Workflows Python SDK public key, and verify that the public key is trusted, you
501+ are ready to verify the signature of the package.
502+
503+ To verify the package signature, do the following.
504+
505+ 1. Download the detached signature for the package from PyPI
506+
507+ Go to the downloads section for the Data Science Workflows Python SDK
508+ https://pypi.org/project/stepfunctions/#files on PyPI, Right-click on the SDK
509+ distribution link, and choose "Copy Link Location/Address".
510+
511+ Append the string ".asc" to the end of the link you copied, and paste this
512+ new link on your browser.
513+
514+ Your browser will prompt you to download a file, which is the detatched
515+ signature associated with the respective distribution. Save the file on your
516+ local machine.
517+
518+ 2. Verify the signature by running the following command at a command prompt
519+ in the directory where you saved signature file and the AWS Data Science
520+ Workflows Python SDK installation file. Both files must be present.
521+
522+ .. code-block :: text
523+
524+ gpg --verify <path-to-detached-signature-file>
525+
526+
527+
528+ .. code-block :: text
529+
530+ gpg: Signature made Thu 31 Oct 12:14:53 2019 PDT
531+ gpg: using RSA key CC160577B7BF9D3D6E5D51C560EB103AE314A809
532+ gpg: Good signature from "Stepfunctions-Python-SDK-Signing <stepfunctions-developer-experience@amazon.com>" [unknown]
533+ gpg: WARNING: This key is not certified with a trusted signature!
534+ gpg: There is no indication that the signature belongs to the owner.
535+ Primary key fingerprint: CC16 0577 B7BF 9D3D 6E5D 51C5 60EB 103A E314 A809
536+
537+
538+ Workflows Python SDK <stepfunctions-developer-experience@amazon.com>", it means
539+ that the signature has successfully been verified, and you can proceed to run
540+ the AWS Data Science Workflows Python SDK package.
541+
542+ If the output includes the phrase BAD signature, check whether you performed the
543+ procedure correctly. If you continue to get this response, don't run the
544+ installation file that you downloaded previously, and contact AWS Support.
545+
546+ The following are details about the warnings you might see:
547+
548+ .. code-block :: text
549+
550+ WARNING: This key is not certified with a trusted signature! There is no
551+ indication that the signature belongs to the owner. This refers to your
552+ personal level of trust in your belief that you possess an authentic public
553+ key for AWS Data Science Workflows Python SDK. In an ideal world, you would
554+ visit an AWS office and receive the key in person. However, more often you
555+ download it from a website. In this case, the website is an AWS website.
556+
557+ gpg: no ultimately trusted keys found. This means that the specific key is not
558+ "ultimately trusted" by you (or by other people whom you trust).
559+
560+
561+
336562
337563.. |codebuild | image :: https://codebuild.us-east-2.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoiUkFzRXd6UmdKZkJIZFRPMTRCMmhKYzJqL1U0bEpMdDFvSGJPeXBCSlhQaDBaQVZxYWtnUkZNMmhlclRSeGxCbjZhVTl0dlpiQXFKd1puUFZJK0xmNHN3PSIsIml2UGFyYW1ldGVyU3BlYyI6ImZ2ekJpa3V5ZXgxV3gyczUiLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D&branch=master
0 commit comments