- Install MongoDB >
- Verify Integrity of MongoDB Packages
Verify Integrity of MongoDB Packages¶
On this page
The MongoDB release team digitally signs all software packages to certify that a particular MongoDB package is a valid and unaltered MongoDB release. Before installing MongoDB, you should validate the package using either the provided PGP signature or SHA-256 checksum.
PGP signatures provide the strongest guarantees by checking both the authenticity and integrity of a file to prevent tampering.
Cryptographic checksums only validate file integrity to prevent network transmission errors.
Verify Linux/macOS Packages¶
Use PGP/GPG¶
MongoDB signs each release branch with a different PGP key. The public
key files for each release branch since MongoDB 2.2 are available for
download from the key server
in both textual .asc
and binary .pub
formats.
Download the MongoDB installation file.¶
Download the binaries from https://www.mongodb.org/downloads
based on your environment.
For example, to download the 3.6.23 release for macOS through the shell, run this command:
Download the public signature file.¶
Download then import the key file.¶
If you have not downloaded and imported the MongoDB 3.6 public key, run these commands:
PGP should return this response:
Verify the MongoDB installation file.¶
Run this command:
GPG should return this response:
If the package is properly signed, but you do not currently trust
the signing key in your local trustdb
, gpg
will also return the following message:
If you receive a message this error message, confirm that you imported the correct public key:
Use SHA-256¶
Download the MongoDB installation file.¶
Download the binaries from https://www.mongodb.org/downloads
based on your environment.
For example, to download the 3.6.23 release for macOS through the shell, type this command:
Download the SHA256 file.¶
Use the SHA-256 checksum to verify the MongoDB package file.¶
Compute the checksum of the package file:
which should return the following if the checksum matched the downloaded package:
Verify Windows Packages¶
This verifies the MongoDB binary against its SHA256 key. This tutorial uses the latest release of MongoDB Community Edition 3.4, but the procedure works on all versions and editions.
Download the Sigcheck utility from Microsoft.¶
Visit the Sigcheck utility page.
Click the Download Sigcheck link.
Unzip
Sigcheck.zip
.Move the Sigcheck directory to an appropriate location on your Windows host.
For this tutorial, this location is
$Env:ProgramFiles\Sigcheck
.
Download the MongoDB installation file.¶
Download the binaries from https://www.mongodb.org/downloads
.
Example
To download the v3.4-latest
release for Windows using
Powershell, invoke this command:
Download the public signature file.¶
Download the md5
from https://www.mongodb.org/downloads
.
Example
To download the SHA256 signature for the v3.4-latest
release
for Windows using Powershell, invoke this command:
Verify the signature of the MongoDB installer.¶
Invoke Sigcheck
:
Note
Click Agree to accept the EULA when it displays.
Sigcheck
returns this verification information for the latest
release of MongoDB 3.4:
Compare the signature file to the MongoDB installer hash.¶
To compare the signature file to the hash of the MongoDB binary, invoke this Powershell script:
The command outputs three lines:
- A
SHA256
hash that you downloaded directly from MongoDB. - A
SHA256
hash computed from the MongoDB binary you downloaded from MongoDB. - A
True
orFalse
result depending if the hashes match.
If the hashes match, the MongoDB binary is verified.