aws-sam-cli icon indicating copy to clipboard operation
aws-sam-cli copied to clipboard
verified publisher icon aws

Bug: fingerprint of downloader doesn't match docs (macos arm64)

Open valentin-krasontovitsch opened this issue 2 months ago • 5 comments

Description:

i have downloaded the macos installer for arm64, and tried to verify the package authenticity. running the verify command, i get

$ pkgutil --check-signature aws-sam-cli-macos-arm64.pkg
Package "aws-sam-cli-macos-arm64.pkg":
   Status: signed by a developer certificate issued by Apple for distribution
   Notarization: trusted by the Apple notary service
   Signed with a trusted timestamp on: 2025-10-21 22:19:14 +0000
   Certificate Chain:
    1. Developer ID Installer: AMZN Mobile LLC (94KV3E626L)
       Expires: 2030-09-26 00:18:06 +0000
       SHA256 Fingerprint:
           5C 45 BE 63 FD 52 10 07 2D 66 56 77 5C A9 FF 25 91 6D 3F 01 F7 0E
           9A 8A 05 F6 2D 62 B2 88 8D A9
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2031-09-17 00:00:00 +0000
       SHA256 Fingerprint:
           F1 6C D3 C5 4C 7F 83 CE A4 BF 1A 3E 6A 08 19 C8 AA A8 E4 A1 52 8F
           D1 44 71 5F 35 06 43 D2 DF 3A
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
           68 C5 BE 91 B5 A1 10 01 F0 24

in particular, the first fingerprint for AMZN Mobile LLC

5C 45 BE 63 FD 52 10 07 2D 66 56 77 5C A9 FF 25 91 6D 3F 01 F7 0E 9A 8A 05 F6 2D 62 B2 88 8D A9

does not match the one documented in the verifications instructions:

49 68 39 4A BA 83 3B F0 CC 5E 98 3B E7 C1 72 AC 85 97 65 18 B9 4C BA 34 62 BF E9 23 76 98 C5 DA

Steps to reproduce:

  1. download installer from https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-macos-arm64.pkg
  2. run pkgutil --check-signature aws-sam-cli-macos-arm64.pkg
  3. compare appropriate fingerprint from output to fingerprint documented on website

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

  1. OS: MacOS

valentin-krasontovitsch avatar Oct 30 '25 08:10 valentin-krasontovitsch

I am able to reproduce this issue. Examining more.

reedham-aws avatar Oct 30 '25 23:10 reedham-aws

It looks like the key was rotated automatically, but the documentation was not updated. I have raised this issue with the docs team and will leave this issue open until the documentation is changed. Thank you for bringing this to our attention!

reedham-aws avatar Oct 31 '25 16:10 reedham-aws

sure thing, and thanks for checking it out and raising it further. out of curiosity, if it's not sensitive info - when was the key rotated? 😊

valentin-krasontovitsch avatar Oct 31 '25 23:10 valentin-krasontovitsch

It was rotated 10/21.

reedham-aws avatar Nov 10 '25 19:11 reedham-aws

oh my. that's quite a while ago 😅 thanks for sharing!

valentin-krasontovitsch avatar Nov 15 '25 18:11 valentin-krasontovitsch