OPTIONS

Verify Integrity of MongoDB Packages

On this page

Overview

The MongoDB release team digitally signs all software packages to certify that a particular MongoDB package is a valid and unaltered MongoDB release. Before installing MongoDB, you should validate the package using either the provided PGP signature or SHA-256 checksum.

PGP signatures provide the strongest guarantees by checking both the authenticity and integrity of a file to prevent tampering.

Cryptographic checksums only validate file integrity to prevent network transmission errors.

Procedures

Use PGP/GPG

MongoDB signs each release branch with a different PGP key. The public key files for each release branch since MongoDB 2.2 are available for download from the key server in both textual .asc and binary .pub formats.

1

Download the MongoDB installation file.

Download the binaries from https://www.mongodb.org/downloads based on your environment.

For example, to download the 3.0.5 release for OS X through the shell, type this command:

curl -LO https://fastdl.mongodb.org/osx/mongodb-osx-x86_64-3.0.5.tgz
2

Download the public signature file.

curl -LO https://fastdl.mongodb.org/osx/mongodb-osx-x86_64-3.0.5.tgz.sig
3

Download then import the key file.

If you have not downloaded and imported the MongoDB 3.0 public key, enter these commands:

curl -LO https://www.mongodb.org/static/pgp/server-3.0.asc
gpg --import server-3.0.asc

You should receive this message:

gpg: key 24F3C978: public key "MongoDB 3.0 Release Signing Key <packaging@mongodb.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
4

Verify the MongoDB installation file.

Type this command:

gpg --verify mongodb-osx-x86_64-3.0.5.tgz.sig mongodb-osx-x86_64-3.0.5.tgz

You should receive this message:

gpg: Signature made Mon 27 Jul 2015 07:51:53 PM EDT using RSA key ID 24F3C978
gpg: Good signature from "MongoDB 3.0 Release Signing Key <packaging@mongodb.com>" [unknown]

If you receive a message such as the following, confirm that you imported the correct public key:

gpg: Signature made Mon 27 Jul 2015 07:51:53 PM EDT using RSA key ID 24F3C978
gpg: Can't check signature: public key not found
gpg will return the following message if the package is
properly signed, but you do not currently trust the signing key in your local trustdb.
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 89AE C6ED 5423 0831 793F  1384 BE0E B6AA 24F3 C978

Use SHA-256

1

Download the MongoDB installation file.

Download the binaries from https://www.mongodb.org/downloads based on your environment.

For example, to download the 3.0.5 release for OS X through the shell, type this command:

curl -LO https://fastdl.mongodb.org/osx/mongodb-osx-x86_64-3.0.5.tgz
2

Download the SHA256 file.

curl -LO https://fastdl.mongodb.org/osx/mongodb-osx-x86_64-3.0.5.tgz.sha256
3

Use the SHA-256 checksum to verify the MongoDB package file.

Compute the checksum of the package file:

shasum -c mongodb-osx-x86_64-3.0.5.tgz.sha256

which should return the following if the checksum matched the downloaded package:

mongodb-osx-x86_64-3.0.5.tgz: OK