Verify Integrity of MongoDB Packages
The MongoDB release team digitally signs all software packages tocertify that a particular MongoDB package is a valid and unalteredMongoDB release. Before installing MongoDB, you should validate thepackage using either the provided PGP signature or SHA-256 checksum.
PGP signatures provide the strongest guarantees by checking both theauthenticity and integrity of a file to prevent tampering.
Cryptographic checksums only validate file integrity to prevent networktransmission errors.
Verify Linux/macOS Packages
Use PGP/GPG
MongoDB signs each release branch with a different PGP key. The publickey files for each release branch since MongoDB 2.2 are available fordownload from the key serverin both textual .asc
and binary .pub
formats.
Download the MongoDB installation file.
Download the binaries from MongoDB Download Centerbased on your environment.
For example, to download the 4.2.1
release for macOS through theshell, run this command:
- curl -LO https://fastdl.mongodb.org/osx/mongodb-macos-x86_64-4.2.1.tgz
Download the public signature file.
- curl -LO https://fastdl.mongodb.org/osx/mongodb-macos-x86_64-4.2.1.tgz.sig
Download then import the key file.
If you have not downloaded and imported the MongoDB 4.2 public key,run these commands:
- curl -LO https://www.mongodb.org/static/pgp/server-4.2.asc
- gpg --import server-4.2.asc
PGP should return this response:
- gpg: key 4B7C549A058F8B6B: "MongoDB 4.2 Release Signing Key <packaging@mongodb.com>" imported
- gpg: Total number processed: 1
- gpg: imported: 1
Verify the MongoDB installation file.
Run this command:
- gpg --verify mongodb-macos-x86_64-4.2.1.tgz.sig mongodb-macos-x86_64-4.2.1.tgz
GPG should return this response:
- gpg: Signature made Wed Jun 5 03:17:20 2019 EDT
- gpg: using RSA key 4B7C549A058F8B6B
- gpg: Good signature from "MongoDB 4.2 Release Signing Key <packaging@mongodb.com>" [unknown]
If the package isproperly signed, but you do not currently trust the signing keyin your local trustdb
, gpg
will also return the following message :
- gpg: WARNING: This key is not certified with a trusted signature!
- gpg: There is no indication that the signature belongs to the owner.
- Primary key fingerprint: E162 F504 A20C DF15 827F 718D 4B7C 549A 058F 8B6B
If you receive the following error message, confirm that you imported the correctpublic key:
- gpg: Can't check signature: public key not found
Use SHA-256
Download the MongoDB installation file.
Download the binaries from MongoDB Download Centerbased on your environment.
For example, to download the 4.2.1
release for macOS through theshell, type this command:
- curl -LO https://fastdl.mongodb.org/osx/mongodb-macos-x86_64-4.2.1.tgz
Download the SHA256 file.
- curl -LO https://fastdl.mongodb.org/osx/mongodb-macos-x86_64-4.2.1.tgz.sha256
Use the SHA-256 checksum to verify the MongoDB package file.
Compute the checksum of the package file:
- shasum -c mongodb-macos-x86_64-4.2.1.tgz.sha256
which should return the following if the checksum matched the downloadedpackage:
- mongodb-macos-x86_64-4.2.1.tgz: OK
Verify Windows Packages
This verifies the MongoDB binary against its SHA256 key.
Download the MongoDB .msi installation file.
Download the .msi
from the MongoDB Download Center.
For example to download the latest 4.2 of MongoDB CommunityEdition, from the MongoDB Download Center:
- In the Version dropdown, select the version thatcorresponds to the latest MongoDB Server 4.2.
- In the OS dropdown, Windows 64-bit X64should be selected.
- In the Package drop down, MSI should beselected.
- Click Download and save the file to your Downloads folder.
Get the public signature file.
Get the public signature file for your MongoDB version.
For example, for the SHA256 signature for the latest 4.2 ofMongoDB Community Edition:
- From https://fastdl.mongodb.org/win32/mongodb-win32-x86_64-2012plus-4.2.1-signed.msi.sha256, copy the content.
- Save the content to a file
mongodb-win32-x86_64-2012plus-4.2.1-signed.msi.sha256
in your Downloads folder.
Compare the signature file to the MongoDB installer hash.
To compare the signature file to the hash of the MongoDB binary,invoke this Powershell script:
- $sigHash = (Get-Content $Env:HomePath\Downloads\mongodb-win32-x86_64-2012plus-4.2.1-signed.msi.sha256 | Out-String).SubString(0,64).ToUpper(); `
- $fileHash = (Get-FileHash $Env:HomePath\Downloads\mongodb-win32-x86_64-2012plus-4.2.1-signed.msi).Hash.Trim(); `
- echo $sigHash; echo $fileHash; `
- $sigHash -eq $fileHash
- AF5AF79EFE540DCDDC2825A396C71FCFC4FEB463BC9CADDCCDE20AD126321CCC
- AF5AF79EFE540DCDDC2825A396C71FCFC4FEB463BC9CADDCCDE20AD126321CCC
- True
The command outputs three lines:
- A
SHA256
hash that you downloaded directly from MongoDB. - A
SHA256
hash computed from the MongoDB binary youdownloaded from MongoDB. - A
True
orFalse
result depending if the hashes match.
If the hashes match, the MongoDB binary is verified.