Verify JumpCloud Executables

In order to protect against external security threats, use these processes to validate that the agent on your device is the JumpCloud agent using the checksum file, and to verify the code signatures of executables on your devices. 

Prerequisites:

  • These steps should be performed by a JumpCloud administrator, or a user with administrator rights on the device.

Verifying the JumpCloud Agent from the Checksum File

The checksum file contains a list of every executable file that JumpCloud installs on a device. 

To verify the checksum on the device:

  1. Download the checksum file: cdn02.jumpcloud.com/production/versions/<agent-version>/<checksum-filename>. The checksum filename is specific to the OS:
    • Linux: checksumsLinux.json 
    • Mac: checksumsMac.json
    • Windows: checksumsWindows.json
  2. To get the SHA-256 hash for a file, run the following command:
    • Linux/Mac: shasum -a 256 <filename>
    • Windows: certUtil -hashfile <filename> SHA256
  3. Compare the hash from the checksum file against the result from the above command. If the result of the above command does not match the hash from the file, the agent on the device is not from JumpCloud.
    • If the hashes don’t match, download the agent installer from JumpCloud, and re-install, or contact JumpCloud Support.

Verifying JumpCloud Executables from Code Signatures

A code signature is a traceable certificate attached to an executable that verifies the code’s origins and integrity. To see the code signatures used by JumpCloud, run the following commands:

Linux

Note:

Only installer files are signed. Linux does not provide an embedded signature mechanism.

To verify the code signature of the installer on Linux

  1. Download the signature file: cdn02.jumpcloud.com/production/versions/<agent-version>/<installer-name>.sig, where <installer-name> is specific to the distribution. The signature file can only be downloaded if the full <installer-name> is provided:
    • jcagent-amazon-2-aarch64.rpm.sig 
    • jcagent-amazon-2-x86_64.rpm.sig 
    • jcagent-amazon-2022-aarch64.rpm.sig
    • jcagent-amazon-2022-x86_64.rpm.sig
    • jcagent-centos-7-x86_64.rpm.sig
    • jcagent-debian-10-x86_64.deb.sig
    • jcagent-debian-11-aarch64.deb.sig 
    • jcagent-debian-11-x86_64.deb.sig
    • jcagent-fedora-36-x86_64.rpm.sig 
    • jcagent-fedora-37-x86_64.rpm.sig 
    • jcagent-linuxmint-19-x86_64.deb.sig 
    • jcagent-linuxmint-20-x86_64.deb.sig 
    • jcagent-linuxmint-21-x86_64.deb.sig 
    • jcagent-redhat-7-x86_64.rpm.sig
    • jcagent-redhat-8-x86_64.rpm.sig 
    • jcagent-redhat-9-aarch64.rpm.sig 
    • jcagent-redhat-9-x86_64.rpm.sig
    • jcagent-rocky-8-x86_64.rpm.sig
    • jcagent-rocky-9-aarch64.rpm.sig 
    • jcagent-rocky-9-x86_64.rpm.sig
    • jcagent-ubuntu-18.04-aarch64.deb.sig 
    • jcagent-ubuntu-18.04-x86_64.deb.sig
    • jcagent-ubuntu-20.04-aarch64.deb.sig 
    • jcagent-ubuntu-20.04-x86_64.deb.sig
    • jcagent-ubuntu-22.04-aarch64.deb.sig 
    • jcagent-ubuntu-22.04-x86_64.deb.sig
    • jcagent-pop-22.04-x86_64.deb.sig
  2. Run gpg –verify /path/to/signature-file /path/to/file in a terminal window.

MacOS

On macOS, JumpCloud binaries are signed with a Developer ID certificate issued by Apple. The signed binaries are notarized by Apple. The end result is a code signature that is anchored by Apple and signed with our Developer ID certificate. All of our Developer ID certificates should identify as “JUMPCLOUD INC”. The Nudge binary, however, is signed by “Clever DevOps”.

To verify the code signature of an executable on a Mac:

  1. Run the following command: codesign -dv –verbose=4 /path/to/file
  2. Example with expected result:

codesign -dv --verbose=4 /opt/jc/bin/jumpcloud-agent
...
Authority=Developer ID Application: JUMPCLOUD INC. (N985MXSH85)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
...

Windows

To verify the code signature of an executable on Windows:

  1. Run Get-AuthenticodeSignature /path/to/file in a Powershell window. All Windows executables are signed.
  2. Example of expected result:

Get-AuthenticodeSignature 'C:\Program Files\JumpCloud\jumpcloud-agent.exe'

SignerCertificate                         Status                   Path

C718470CD9A550629A3C55837ADAE08E3C176634  Valid                    jumpcloud-agent.exe

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case