strongDM Binary Verification

The method by which verification of strongDM binary files may be performed is via the binary verification endpoint. The endpoint uses a Secure Hash Algorithm (SHA) that allows for increased file exchange security. Downloaded binary files for the strongDM Client, Windows Service Installer, and Gateways may be compared via the endpoint to verify that they are authentic. This article describes how to use the endpoint to display a hash value to validate that the downloaded binary is the authentic version without revealing the contents of the file.

The endpoint may be reached at:

https://app.strongdm.com/sha

Queries

When calling the endpoint, you can pass the following query arguments: os, arch, software, version, and/or variant.

Example with arguments:

https://app.strongdm.com/sha?os=darwin&arch=amd64&software=sdm-cli&version=33.57.0

Query arguments

Query argumentDescriptionPossible valuesRequirement
osOperating systemdarwin, docker, linux, windowsRequired
archArchitectureamd64, arm64, universal, 386Required
softwarestrongDM CLI or GUIsdm-cli, sdm-guiRequired
versionVersion numberXX.YY.ZRequired
variantvariantfull, relay, staticOptional

Acceptable query argument combinations

SoftwareOSArchVariant
sdm-clidarwinamd64
sdm-clidarwinarm64
sdm-clidockeramd64
sdm-clidockeramd64relay
sdm-clilinuxamd64
sdm-clilinuxamd64static
sdm-clilinuxarm64
sdm-cliwindows386
sdm-cliwindowsamd64
sdm-guidarwinuniversal
sdm-guidarwinuniversalfull
sdm-guiwindows386
sdm-guiwindows386full

Usage Example

You can use the endpoint to validate any strongDM binary. This particular example shows how to use the endpoint to validate the downloaded CLI binary.

Steps

Note that depending on your distribution, your commands for downloading files, verifying checksums, and so forth may be different from what is shown here. These steps are provided for example purposes only.

  1. Get the download link to your binary file. (See the Download & Install section of the Admin UI for all binaries.)

    In the following example, we use Curl to get the download link to the CLI binary for our production instance. In return, we get the link to a ZIP file with a SHA hash value.

    $ curl https://app.strongdm.com/releases/cli/darwin/productionexample
    <a href="https://downloads.strongdm.com/builds/sdm-cli/33.57.0/darwin/amd64/521DCB3D718C51CB82DBC78A9C21BBE047549403/sdmcli_33.57.0_darwin_amd64.zip">Temporary Redirect</a>.
    

    Alternatively, you can use the upgrade path to get a download link to your CLI binary with a SHA hash value.

    $ curl 'https://app.strongdm.com/releases/upgrade?os=darwin&arch=amd64&software=sdm-cli&version=productionexample'
    {"url":"https://downloads.strongdm.com/builds/sdm-cli/33.57.0/darwin/amd64/521DCB3D718C51CB82DBC78A9C21BBE047549403/sdmcli_33.57.0_darwin_amd64.zip","version":"33.57.0","size":16618727,"sha_1":"521DCB3D718C51CB82DBC78A9C21BBE047549403","software":"sdm-cli","os":"darwin","arch":"amd64"}
    
  2. Download the file:

    wget https://downloads.strongdm.com/builds/sdm-cli/33.57.0/darwin/amd64/521DCB3D718C51CB82DBC78A9C21BBE047549403/sdmcli_33.57.0_darwin_amd64.zip
    
  3. Call the endpoint with your query parameters to get SHA hash values:

    $ curl 'https://app.strongdm.com/sha?os=darwin&arch=amd64&software=sdm-cli&version=33.57.0'
       {
          "sha1":"521DCB3D718C51CB82DBC78A9C21BBE047549403",
          "sha256":"4DAF27A474A7E0F38AB452FA0B8AFBA70851741362784B574E841D01E53F8EDE"
       }
    
  4. Verify the SHA-256 checksum of the downloaded file, as in the following example. When the SHA-256 hash value is returned, compare it to the one that was returned in Step 3. If the checksums are identical, you know the downloaded file is a legitimate copy.

    $ sha256sum sdmcli_33.57.0_darwin_amd64.zip
    4daf27a474a7e0f38ab452fa0b8afba70851741362784b574e841d01e53f8ede  sdmcli_33.57.0_darwin_amd64.zip
    

    The following is an alternative way to verify the checksum:

    $ echo "4daf27a474a7e0f38ab452fa0b8afba70851741362784b574e841d01e53f8ede  sdmcli_33.57.0_darwin_amd64.zip" | sha256sum --check
    sdmcli_33.57.0_darwin_amd64.zip: OK
    

If any errors occur, please copy them into an email and send them to support@strongdm.com.

Top