This article describes how you can verify that you have downloaded an authentic copy of the Uptrends Infra installer.
When you want to use Uptrends Infra you have to download and install an Infra agent. Unfortunately, supply chain attacks are seen more frequently these days and a compromised download file is one way of an attack.
So, how do you know that the Uptrends Infra agent application that you are installing is exactly the version we’ve build and it hasn’t been changed by someone else in the meantime? Basically you have to verify the hash of the file and check the signature. Install the file only when you have verified the authenticity!
When you start to use Uptrends Infra or when you extend your setup to monitor from an additional machine, you are required to download an installer. More info about the installation and download links can be found in the articles Windows agent and Linux agent.
Once you have downloaded the installation file you have to compare the hash of the downloaded file with the hash of the original file.
The agent 2.0 has auto-update functionality and after the initial installation it will update itself. There are security mechanisms for the automatic update, see Security for agent auto-updates in this article.
Hashes of the original files
In Uptrends Infra go to the menu.
The Install agent popup opens. At the bottom you find the original hash values. Take note of these as you will compare them with the values of the downloaded files.
Hashes of the downloaded file
To find out the hash for the file you downloaded, use the right method for your operating system.
The hash is obtained by running the
Get-FileHash command on the file in Windows PowerShell.
The hash can be obtained with the
Compare the hashes
Now, compare the hash that you obtained from the downloaded file with the hash from the installer popup. They need to match exactly.
If you find a mismatch or are in doubt about the authenticity of the downloaded file, please do not install it and contact support.
Security for auto-updates of the Infra agent
Starting with version 2.0 the Uptrends Infra agent has a build-in auto-update functionality. This ensures that the agent is always on the latest version, including relevant fixes where applicable. This in itself adds security over running outdated software.
The agent 2.0 is based on .NET Core 3.1. This is the newest long-term version of the .NET Framework, giving optimal security compared to the older agent (version 1.0).
To ensure safety in the update process, we implemented a few steps that are carried out when the agent is automatically updated. The following security measures are taken:
- The agent downloads a new version from a secure location.
- We send the file hash to the agent to check if the downloaded update file is intact and identical to the version we are distributing. The new version is installed only when the file passes this check.
- With every update we clean the agent installation folder of any unwanted binaries and executables.
In addition to the hashes, all files from Uptrends or .NET Core that come with the agent download are signed to ensure authenticity. The Uptrends files have a specific Uptrends digital signature and the .NET Core files have a Microsoft digital signature.
Details of the Uptrends digital signature
|Name of signer||Uptrends B.V.|
|Issuer||Sectigo RSA Code Signing CA, Sectigo Limited|