1. Support
  2. Knowledge base
  3. Infra
  4. Agent
  5. Verifying the authenticity of the agent installer

Verifying the authenticity of the agent installer

This article describes how you can verify that you have downloaded an authentic copy of the Uptrends Infra installer.

When you want to use Uptrends Infra you have to download and install an Infra agent. Unfortunately, supply chain attacks are seen more frequently these days and a compromised download file is one way of an attack.

So, how do you know that the Uptrends Infra agent application that you are installing is exactly the version we’ve build and it hasn’t been changed by someone else in the meantime? Basically you have to verify the hash of the file and check the signature. Install the file only when you have verified the authenticity!

Compare hashes

When you start to use Uptrends Infra or when you extend your setup to monitor from an additional machine, you are required to download an installer. More info about the installation and download links can be found in the articles Windows agent and Linux agent.

Once you have downloaded the installation file you have to compare the hash of the downloaded file with the hash of the original file.

The agent 2.0 has auto-update functionality and after the initial installation it will update itself. There are security mechanisms for the automatic update, see Security for agent auto-updates in this article.

Hashes of the original files

In Uptrends Infra go to the menu Infrastructure > Install agent.

The Install agent popup opens. At the bottom you find the original hash values. Take note of these as you will compare them with the values of the downloaded files.

Note: The hash values in the screenshot above are not the real values and cannot be used for authentication. Open the popup yourself to get the real values.

Hashes of the downloaded file

To find out the hash for the file you downloaded, use the right method for your operating system.

Windows

The hash is obtained by running the Get-FileHash command on the file in Windows PowerShell.

Linux

The hash can be obtained with the sha256sum command.

Compare the hashes

Now, compare the hash that you obtained from the downloaded file with the hash from the installer popup. They need to match exactly.

If you find a mismatch or are in doubt about the authenticity of the downloaded file, please do not install it and contact support.

Security for auto-updates of the Infra agent

Starting with version 2.0 the Uptrends Infra agent has a build-in auto-update functionality. This ensures that the agent is always on the latest version, including relevant fixes where applicable. This in itself adds security over running outdated software.

The agent 2.0 is based on .NET Core 3.1. This is the newest long-term version of the .NET Framework, giving optimal security compared to the older agent (version 1.0).

To ensure safety in the update process, we implemented a few steps that are carried out when the agent is automatically updated. The following security measures are taken:

  • The agent downloads a new version from a secure location.
  • We send the file hash to the agent to check if the downloaded update file is intact and identical to the version we are distributing. The new version is installed only when the file passes this check.
  • With every update we clean the agent installation folder of any unwanted binaries and executables.

File signatures

In addition to the hashes, all files from Uptrends or .NET Core that come with the agent download are signed to ensure authenticity. The Uptrends files have a specific Uptrends digital signature and the .NET Core files have a Microsoft digital signature.

Details of the Uptrends digital signature
Name of signer Uptrends B.V.
Issuer Sectigo RSA Code Signing CA, Sectigo Limited
Serial number 00fab5312e775388bd8e75e492de49c2f5
By using the Uptrends website, you consent to the use of cookies in accordance with our Cookie Policy.