Navigation
This version of the documentation is archived and no longer supported.

Verify Integrity of MongoDB Packages

On this page

Overview

The MongoDB release team digitally signs all software packages to certify that a particular MongoDB package is a valid and unaltered MongoDB release. Before installing MongoDB, you should validate the package using either the provided PGP signature or SHA-256 checksum.

PGP signatures provide the strongest guarantees by checking both the authenticity and integrity of a file to prevent tampering.

Cryptographic checksums only validate file integrity to prevent network transmission errors.

Procedures

Use PGP/GPG

MongoDB signs each release branch with a different PGP key. The public key files for each release branch since MongoDB 2.2 are available for download from the key server in both textual .asc and binary .pub formats.

1

Download the MongoDB installation file.

Download the binaries from https://www.mongodb.org/downloads based on your environment.

For example, to download the 3.2.18 release for OS X through the shell, type this command:

curl -LO https://fastdl.mongodb.org/osx/mongodb-osx-x86_64-3.2.18.tgz
2

Download the public signature file.

curl -LO https://fastdl.mongodb.org/osx/mongodb-osx-x86_64-3.2.18.tgz.sig
3

Download then import the key file.

If you have not downloaded and imported the MongoDB 3.2 public key, enter these commands:

curl -LO https://www.mongodb.org/static/pgp/server-3.2.asc
gpg --import server-3.2.asc

You should receive this message:

gpg: key 24F3C978: public key "MongoDB 3.2 Release Signing Key <packaging@mongodb.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
4

Verify the MongoDB installation file.

Type this command:

gpg --verify mongodb-osx-x86_64-3.2.18.tgz.sig mongodb-osx-x86_64-3.2.18.tgz

You should receive this message:

gpg: Signature made Mon 27 Jul 2015 07:51:53 PM EDT using RSA key ID 24F3C978
gpg: Good signature from "MongoDB 3.2 Release Signing Key <packaging@mongodb.com>" [unknown]

If you receive a message such as the following, confirm that you imported the correct public key:

gpg: Signature made Mon 27 Jul 2015 07:51:53 PM EDT using RSA key ID 24F3C978
gpg: Can't check signature: public key not found

gpg will return the following message if the package is properly signed, but you do not currently trust the signing key in your local trustdb.

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 89AE C6ED 5423 0831 793F  1384 BE0E B6AA 24F3 C978

Use SHA-256

1

Download the MongoDB installation file.

Download the binaries from https://www.mongodb.org/downloads based on your environment.

For example, to download the 3.0.5 release for OS X through the shell, type this command:

curl -LO https://fastdl.mongodb.org/osx/mongodb-osx-x86_64-3.0.5.tgz
2

Download the SHA256 file.

curl -LO https://fastdl.mongodb.org/osx/mongodb-osx-x86_64-3.0.5.tgz.sha256
3

Use the SHA-256 checksum to verify the MongoDB package file.

Compute the checksum of the package file:

shasum -c mongodb-osx-x86_64-3.0.5.tgz.sha256

which should return the following if the checksum matched the downloaded package:

mongodb-osx-x86_64-3.0.5.tgz: OK