Verify JumpCloud Executables

In order to protect against external security threats, use these processes to validate that the agent on your device is the JumpCloud agent using the checksum file, and to verify the code signatures of executables on your devices. 

Prerequisites:

• These steps should be performed by a JumpCloud administrator, or a user with administrator rights on the device.

Verifying the JumpCloud Agent from the Checksum File

The checksum file contains a list of every executable file that JumpCloud installs on a device. 

To verify the checksum on the device:

1. Download the checksum file: cdn02.jumpcloud.com/production/versions/<agent-version>/<checksum-filename>. The checksum filename is specific to the OS:
   • Linux: checksumsLinux.json 
   • Mac: checksumsMac.json
   • Windows: checksumsWindows.json
2. To get the SHA-256 hash for a file, run the following command:
   • Linux/Mac: shasum -a 256 <filename>
   • Windows: certUtil -hashfile <filename> SHA256
3. Compare the hash from the checksum file against the result from the above command. If the result of the above command does not match the hash from the file, the agent on the device is not from JumpCloud.
   • If the hashes don’t match, download the agent installer from JumpCloud, and re-install, or contact JumpCloud Support.

Verifying JumpCloud Executables from Code Signatures

A code signature is a traceable certificate attached to an executable that verifies the code’s origins and integrity. To see the code signatures used by JumpCloud, run the following commands:

Linux

To verify the code signature of the installer on Linux: 

1. Download the signature file: cdn02.jumpcloud.com/production/versions/<agent-version>/<installer-name>.sig, where <installer-name> is specific to the distribution. The signature file can only be downloaded if the full <installer-name> is provided:
   • jcagent-amazon-2-aarch64.rpm.sig 
   • jcagent-amazon-2-x86_64.rpm.sig 
   • jcagent-amazon-2022-aarch64.rpm.sig
   • jcagent-amazon-2022-x86_64.rpm.sig
   • jcagent-centos-7-x86_64.rpm.sig
   • jcagent-debian-10-x86_64.deb.sig
   • jcagent-debian-11-aarch64.deb.sig 
   • jcagent-debian-11-x86_64.deb.sig
   • jcagent-fedora-36-x86_64.rpm.sig 
   • jcagent-fedora-37-x86_64.rpm.sig 
   • jcagent-linuxmint-19-x86_64.deb.sig 
   • jcagent-linuxmint-20-x86_64.deb.sig 
   • jcagent-linuxmint-21-x86_64.deb.sig 
   • jcagent-redhat-7-x86_64.rpm.sig
   • jcagent-redhat-8-x86_64.rpm.sig 
   • jcagent-redhat-9-aarch64.rpm.sig 
   • jcagent-redhat-9-x86_64.rpm.sig
   • jcagent-rocky-8-x86_64.rpm.sig
   • jcagent-rocky-9-aarch64.rpm.sig 
   • jcagent-rocky-9-x86_64.rpm.sig
   • jcagent-ubuntu-18.04-aarch64.deb.sig 
   • jcagent-ubuntu-18.04-x86_64.deb.sig
   • jcagent-ubuntu-20.04-aarch64.deb.sig 
   • jcagent-ubuntu-20.04-x86_64.deb.sig
   • jcagent-ubuntu-22.04-aarch64.deb.sig 
   • jcagent-ubuntu-22.04-x86_64.deb.sig
   • jcagent-pop-22.04-x86_64.deb.sig
2. Run gpg –verify /path/to/signature-file /path/to/file in a terminal window.

MacOS

On macOS, JumpCloud binaries are signed with a Developer ID certificate issued by Apple. The signed binaries are notarized by Apple. The end result is a code signature that is anchored by Apple and signed with our Developer ID certificate. All of our Developer ID certificates should identify as “JUMPCLOUD INC”. The Nudge binary, however, is signed by “Clever DevOps,” and the Login Item is denoted as Mac Admins Open Source by the operating system.

To verify the code signature of an executable on a Mac:

1. Run the following command: codesign -dv –verbose=4 /path/to/file
2. Example with expected result:

Windows

To verify the code signature of an executable on Windows:

1. Run Get-AuthenticodeSignature /path/to/file in a Powershell window. All Windows executables are signed.
2. Example of expected result: