# StrongDM Binary Verification ### Overview StrongDM binary files can be verified using the Binary Verification endpoint or by checking the SHA-256 checksum values displayed in the Admin UI. The Binary Verification endpoint uses a secure hash algorithm (SHA) that allows for increased file exchange security. Downloaded binary files for the StrongDM Desktop, CLI, and relays or gateways can be compared via the endpoint to confirm they are authentic. This article describes how to use the endpoint to display a hash value that validates the downloaded binary is genuine without revealing the file contents. The endpoint can be reached at: ```http https://app.strongdm.com/sha ``` ### Query Parameters for Binary Verification When calling the Binary Verification endpoint, you can pass several query parameters, such as `os`, `arch`, `software`, `version`, or `variant`. As in the following example, you can add these predefined strings to the base URL `https://app.strongdm.com/sha`. ```http https://app.strongdm.com/sha?os=darwin&arch=amd64&software=sdm-cli&version=33.57.0 ``` For more information about each parameter, check the [query parameter definitions](#query-parameter-definitions) table. #### Query parameter definitions The following table lists the query parameters that can be used with the Binary Verification endpoint. You can read more about their requirement status, usage, and possible values. | Query parameter | Requirement | Description | Possible values | | --------------- | ----------- | -------------------------------------------------------------------------------------------------- | -------------------------------------- | | `os` | Required | Operating system | `darwin`, `docker`, `linux`, `windows` | | `arch` | Required | Architecture | `amd64`, `arm64`, `universal`, `386` | | `redirect` | Optional | Direct download link | `true`, `false` | | `software` | Required | StrongDM CLI or desktop app | `sdm-cli`, `desktop` | | `version` | Required | Version number or your organization's web domain value (copy value from Admin UI general settings) | `XX.YY.Z`, `` | | `variant` | Optional | Binary variant | `full`, `relay`, `static` | #### Query parameter combinations You can combine query parameters in a number of ways when using the Binary Verification endpoint. To view acceptable combinations, see the following table. | Software | OS | Arch | Variant | Description | | --------- | --------- | ----------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | | `sdm-cli` | `darwin` | `amd64` | | | | `sdm-cli` | `darwin` | `arm64` | | | | `sdm-cli` | `docker` | `amd64` | | | | `sdm-cli` | `docker` | `amd64` | `relay` |

Binary is configured in a way to start a gateway or relay.
Default client variant starts the listener instead.

| | `sdm-cli` | `linux` | `amd64` | | | | `sdm-cli` | `linux` | `amd64` | `static` |

Binary is statically compiled and works best with Alpine-based
Linux images based on musl libc. Default variant is dynamically compiled.

| | `sdm-cli` | `linux` | `arm64` | | | | `sdm-cli` | `windows` | `386` | | | | `sdm-cli` | `windows` | `amd64` | | | | `desktop` | `darwin` | `universal` | | | | `desktop` | `darwin` | `universal` | `full` | Binary of the installer; default includes only the upgrade deltas | | `desktop` | `windows` | `386` | | | | `desktop` | `windows` | `386` | `full` | Binary of the installer; default includes only the upgrade deltas | ### Usage Example You can use the Binary Verification endpoint to validate any StrongDM binary. This particular example shows how to use the endpoint to validate the downloaded CLI binary. Note that depending on your distribution, your commands for downloading files, verifying checksums, and so forth may be different from the steps here. 1. Get the download link to your binary file. See the **Download & Install** section of the Admin UI for all binaries. In this example, we are using curl to get the download link to the CLI binary for our production instance: ```shell curl https://app.strongdm.com/releases/cli/darwin ``` In return, we get a link to a ZIP file with a SHA hash value: ```shell Temporary Redirect. ``` You can also use the upgrade path to get a download link to your CLI binary with a SHA hash value: ```shell curl 'https://app.strongdm.com/releases/upgrade?os=darwin&arch=amd64&software=sdm-cli&version=' ``` The output for the previous command is similar to: ```json { "url":"https://downloads.strongdm.com/builds/sdm-cli/34.65.0/darwin/amd64/AB5C20F504299A6509E00E67D160ECD6D092F4E9/sdmcli_34.65.0_darwin_amd64.zip", "version":"34.65.0", "size":16823838, "sha_1":"AB5C20F504299A6509E00E67D160ECD6D092F4E9", "sha256":"2676F838EACAE2EAA234D31C458D1B321F3C9EC46F7598DA72A70777F52E29ED", "sha512":"22E1599D741CF7E98E7008E01D630AAABCE9026C618B674B34C4DA8304F90ECB1863B20FEC01B1AACC02E70D1B83D7E5784C145E8084AB7394F4D375D8579C9C", "software":"sdm-cli", "os":"darwin", "arch":"amd64" } ``` Alternatively, you can use the [Release endpoint](/admin/clients/release-endpoint.md) to get a download link with SHA hash values. 2. Download the file: ```shell wget https://downloads.strongdm.com/builds/sdm-cli/34.65.0/darwin/amd64/AB5C20F504299A6509E00E67D160ECD6D092F4E9/sdmcli_34.65.0_darwin_amd64.zip ``` 3. Call the Binary Verification endpoint using your query parameters to get SHA hash values: ```shell curl 'https://app.strongdm.com/sha?os=darwin&arch=amd64&software=sdm-cli&version=34.65.0' ``` This output is produced: ```json { "sha1":"AB5C20F504299A6509E00E67D160ECD6D092F4E9", "sha256":"2676F838EACAE2EAA234D31C458D1B321F3C9EC46F7598DA72A70777F52E29ED", "sha512":"22E1599D741CF7E98E7008E01D630AAABCE9026C618B674B34C4DA8304F90ECB1863B20FEC01B1AACC02E70D1B83D7E5784C145E8084AB7394F4D375D8579C9C" } ``` 4. Verify the SHA checksums of the downloaded file. When the SHA hash values are returned, compare them to the SHA values returned in Step 3. If the checksums are identical, you know the downloaded file is a legitimate copy. ```shell $ sha512sum sdmcli_34.65.0_darwin_amd64.zip 22E1599D741CF7E98E7008E01D630AAABCE9026C618B674B34C4DA8304F90ECB1863B20FEC01B1AACC02E70D1B83D7E5784C145E8084AB7394F4D375D8579C9C sdmcli_34.65.0_darwin_amd64.zip ``` The following is an alternative way to verify the checksum: ```shell $ echo "22E1599D741CF7E98E7008E01D630AAABCE9026C618B674B34C4DA8304F90ECB1863B20FEC01B1AACC02E70D1B83D7E5784C145E8084AB7394F4D375D8579C9C sdmcli_34.65.0_darwin_amd64.zip" | sha512sum --check sdmcli_34.65.0_darwin_amd64.zip: OK ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/clients/sha-endpoint.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.