StrongDM Binary Verification

Last modified on February 1, 2023

Overview

StrongDM binary files can be verified using the binary verification endpoint or by checking the SHA-256 checksum values displayed in the Admin UI.

The binary verification endpoint uses a secure hash algorithm (SHA) that allows for increased file exchange security. Downloaded binary files for the StrongDM Desktop, CLI, and relays or gateways can be compared via the endpoint to confirm they are authentic.

This article describes how to use the endpoint to display a hash value that validates the downloaded binary is genuine without revealing the file contents.The endpoint can be reached at:

https://app.strongdm.com/sha

Query Parameters for Binary Verification

When calling the binary verification endpoint, you can pass several query parameters, such as os, arch, software, version, or variant. As in the following example, you can add these pre-defined strings to the base https://app.strongdm.com/sha URL. For more information about each parameter, check the query parameter definitions table.

https://app.strongdm.com/sha?os=darwin&arch=amd64&software=sdm-cli&version=33.57.0

Query parameter definitions

The following table lists the query parameters that can be used with the binary verification endpoint. You can read more about their requirement status, usage, and possible values.

Query parametersRequirementDescriptionPossible values
osRequiredOperating systemdarwin, docker, linux, windows
archRequiredArchitectureamd64, arm64, universal, 386
softwareRequiredStrongDM CLI or GUIsdm-cli, sdm-gui
versionRequiredVersion numberXX.YY.Z
variantOptionalBinary variantfull, relay, static

Query parameter combinations

You can combine query parameters in a number of ways when using the binary verification endpoint. To view acceptable combinations, see the following table.

SoftwareOSArchVariantDescription
sdm-clidarwinamd64
sdm-clidarwinarm64
sdm-clidockeramd64
sdm-clidockeramd64relayBinary is configured in a way to start a gateway or relay.
Default client variant starts the listener instead.
sdm-clilinuxamd64
sdm-clilinuxamd64staticBinary is statically compiled and works best with Alpine-based
Linux images based on musl libc. Default variant is dynamically compiled.
sdm-clilinuxarm64
sdm-cliwindows386
sdm-cliwindowsamd64
sdm-guidarwinuniversal
sdm-guidarwinuniversalfullBinary of the installer. Default includes only the upgrade deltas.
sdm-guiwindows386
sdm-guiwindows386fullBinary of the installer. Default includes only the upgrade deltas.

Usage Example

You can use the binary verification endpoint to validate any StrongDM binary. This particular example shows how to use the endpoint to validate the downloaded CLI binary. Note that depending on your distribution, your commands for downloading files, verifying checksums, and so forth may be different from the steps here.

  1. Get the download link to your binary file. See the Download & Install section of the Admin UI for all binaries. In this example, we are using curl to get the download link to the CLI binary for our production instance:

    curl https://app.strongdm.com/releases/cli/darwin
    

    In return, we get a link to a ZIP file with a SHA hash value:

    <a href="https://downloads.strongdm.com/builds/sdm-cli/34.65.0/darwin/amd64/AB5C20F504299A6509E00E67D160ECD6D092F4E9/sdmcli_34.65.0_darwin_amd64.zip">Temporary Redirect</a>.
    

    You can also use the upgrade path to get a download link to your CLI binary with a SHA hash value:

    curl 'https://app.strongdm.com/releases/upgrade?os=darwin&arch=amd64&software=sdm-cli&version=<VERSION_NUMBER>'
    

    The output for the previous command is similar to:

    {
       "url":"https://downloads.strongdm.com/builds/sdm-cli/34.65.0/darwin/amd64/AB5C20F504299A6509E00E67D160ECD6D092F4E9/sdmcli_34.65.0_darwin_amd64.zip",
       "version":"34.65.0",
       "size":16823838,
       "sha_1":"AB5C20F504299A6509E00E67D160ECD6D092F4E9",
       "sha256":"2676F838EACAE2EAA234D31C458D1B321F3C9EC46F7598DA72A70777F52E29ED",
       "software":"sdm-cli",
       "os":"darwin",
       "arch":"amd64"
    }
    
  2. Download the file:

    wget https://downloads.strongdm.com/builds/sdm-cli/34.65.0/darwin/amd64/AB5C20F504299A6509E00E67D160ECD6D092F4E9/sdmcli_34.65.0_darwin_amd64.zip
    
  3. Call the binary verification endpoint using your query parameters to get SHA hash values:

    curl 'https://app.strongdm.com/sha?os=darwin&arch=amd64&software=sdm-cli&version=34.65.0'
    

    This output is produced:

    {
       "sha1":"AB5C20F504299A6509E00E67D160ECD6D092F4E9",
       "sha256":"2676F838EACAE2EAA234D31C458D1B321F3C9EC46F7598DA72A70777F52E29ED"
    }
    
  4. Verify the SHA-256 checksum of the downloaded file. When the SHA-256 hash value is returned, compare it to the SHA-256 value returned in Step 3. If the checksums are identical, you know the downloaded file is a legitimate copy.

    $ sha256sum sdmcli_34.65.0_darwin_amd64.zip
    2676F838EACAE2EAA234D31C458D1B321F3C9EC46F7598DA72A70777F52E29ED sdmcli_34.65.0_darwin_amd64.zip
    

    The following is an alternative way to verify the checksum:

    $ echo "4daf27a474a7e0f38ab452fa0b8afba70851741362784b574e841d01e53f8ede sdmcli_33.57.0_darwin_amd64.zip" | sha256sum --check
    sdmcli_33.57.0_darwin_amd64.zip: OK
    

If any errors occur, please copy them into an email and send them to support@strongdm.com.

Top