In order to protect against external security threats, use these processes to validate that the agent on your device is the JumpCloud agent using the checksum file, and to verify the code signatures of executables on your devices.
Prerequisites:
- These steps should be performed by a JumpCloud administrator, or a user with administrator rights on the device.
Verifying the JumpCloud Agent from the Checksum File
The checksum file contains a list of every executable file that JumpCloud installs on a device.
To verify the checksum on the device:
- Download the checksum file: cdn02.jumpcloud.com/production/versions/<agent-version>/<checksum-filename>. The checksum filename is specific to the OS:
- Linux: checksumsLinux.json
- Mac: checksumsMac.json
- Windows: checksumsWindows.json
- To get the SHA-256 hash for a file, run the following command:
- Linux/Mac:
shasum -a 256 <filename>
- Windows:
certUtil -hashfile <filename> SHA256
- Linux/Mac:
- Compare the hash from the checksum file against the result from the above command. If the result of the above command does not match the hash from the file, the agent on the device is not from JumpCloud.
- If the hashes don't match, download the agent installer from JumpCloud, and re-install, or contact JumpCloud Support.
Verifying JumpCloud Executables from Code Signatures
A code signature is a traceable certificate attached to an executable that verifies the code’s origins and integrity. To see the code signatures used by JumpCloud, run the following commands:
Linux
Only installer files are signed. Linux does not provide an embedded signature mechanism.
To verify the code signature of the installer on Linux:
- Download the signature file: cdn02.jumpcloud.com/production/versions/<agent-version>/<installer-name>.sig, where <installer-name> is specific to the distribution. The signature file can only be downloaded if the full <installer-name> is provided:
- jcagent-amazon-2-aarch64.rpm.sig
- jcagent-amazon-2-x86_64.rpm.sig
- jcagent-amazon-2022-aarch64.rpm.sig
- jcagent-amazon-2022-x86_64.rpm.sig
- jcagent-centos-7-x86_64.rpm.sig
- jcagent-debian-10-x86_64.deb.sig
- jcagent-debian-11-aarch64.deb.sig
- jcagent-debian-11-x86_64.deb.sig
- jcagent-fedora-36-x86_64.rpm.sig
- jcagent-fedora-37-x86_64.rpm.sig
- jcagent-linuxmint-19-x86_64.deb.sig
- jcagent-linuxmint-20-x86_64.deb.sig
- jcagent-linuxmint-21-x86_64.deb.sig
- jcagent-redhat-7-x86_64.rpm.sig
- jcagent-redhat-8-x86_64.rpm.sig
- jcagent-redhat-9-aarch64.rpm.sig
- jcagent-redhat-9-x86_64.rpm.sig
- jcagent-rocky-8-x86_64.rpm.sig
- jcagent-rocky-9-aarch64.rpm.sig
- jcagent-rocky-9-x86_64.rpm.sig
- jcagent-ubuntu-18.04-aarch64.deb.sig
- jcagent-ubuntu-18.04-x86_64.deb.sig
- jcagent-ubuntu-20.04-aarch64.deb.sig
- jcagent-ubuntu-20.04-x86_64.deb.sig
- jcagent-ubuntu-22.04-aarch64.deb.sig
- jcagent-ubuntu-22.04-x86_64.deb.sig
- jcagent-pop-22.04-x86_64.deb.sig
- Run the following command in a terminal window:
gpg --verify /path/to/signature-file /path/to/file
MacOS
On macOS, JumpCloud binaries are signed with a Developer ID certificate issued by Apple. The signed binaries are notarized by Apple. The end result is a code signature that is anchored by Apple and signed with our Developer ID certificate. All of our Developer ID certificates should identify as “JUMPCLOUD INC”. The Nudge binary, however, is signed by “Clever DevOps,” and the Login Item is denoted as Mac Admins Open Source by the operating system.
To verify the code signature of an executable on a Mac:
- Run the following command:
codesign -dv --verbose=4 /path/to/file
- Example with expected result:
codesign -dv --verbose=4 /opt/jc/bin/jumpcloud-agent
...
Authority=Developer ID Application: JUMPCLOUD INC. (N985MXSH85)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
...
Windows
To verify the code signature of an executable on Windows:
- Run the following command in a Powershell window. All Windows executables are signed.
Get-AuthenticodeSignature /path/to/file
- Example of expected result:
Get-AuthenticodeSignature 'C:\Program Files\JumpCloud\jumpcloud-agent.exe'
SignerCertificate Status Path
C718470CD9A550629A3C55837ADAE08E3C176634 Valid jumpcloud-agent.exe