Verify Integrity of MongoDB Packages
On this page
The MongoDB release team digitally signs all software packages to certify that a particular MongoDB package is a valid and unaltered MongoDB release. Before installing MongoDB, you should validate the package using either the provided PGP signature or SHA-256 checksum.
PGP signatures provide the strongest guarantees by checking both the authenticity and integrity of a file to prevent tampering.
Cryptographic checksums only validate file integrity to prevent network transmission errors.
Verify Linux/macOS Packages
Use PGP/GPG
MongoDB signs each release branch with a different PGP key. The public key files for each release branch since MongoDB 2.2 are available for download from the key server in both textual .asc and binary .pub formats.
1
2
3
Download then import the key file.
If you have not downloaded and imported the MongoDB 3.6 public key, run these commands:
curl -LO https://www.mongodb.org/static/pgp/server-3.6.asc
gpg --import server-3.6.asc
PGP should return this response:
gpg: key 58712A2291FA4AD5: public key "MongoDB 3.6 Release Signing Key <packaging@mongodb.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
4
Verify the MongoDB installation file.
Run this command:
gpg --verify mongodb-osx-ssl-x86_64-3.6.19.tgz.sig mongodb-osx-ssl-x86_64-3.6.19.tgz
GPG should return this response:
gpg: Signature made Thu Jun 6 19:16:51 2019 EDT
gpg: using RSA key 58712A2291FA4AD5
gpg: Good signature from "MongoDB 3.6 Release Signing Key <packaging@mongodb.com>" [unknown]
If the package is properly signed, but you do not currently trust the signing key in your local trustdb, gpg will also return the following message:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2930 ADAE 8CAF 5059 EE73 BB4B 5871 2A22 91FA 4AD5
If you receive a message this error message, confirm that you imported the correct public key:
gpg: Signature made Mon Sep 11 12:03:48 2017 EDT using RSA key 58712A2291FA4AD5
gpg: Can't check signature: public key not found
1
Verify Windows Packages
This verifies the MongoDB binary against its SHA256 key. This tutorial uses the latest release of MongoDB Community Edition 3.4, but the procedure works on all versions and editions.
1
Download the Sigcheck utility from Microsoft.
Visit the Sigcheck utility page .
Click the Download Sigcheck link.
Unzip
Sigcheck.zip.Move the Sigcheck directory to an appropriate location on your Windows host.
For this tutorial, this location is
$Env:ProgramFiles\Sigcheck.
2
Download the MongoDB installation file.
Download the binaries from https://www.mongodb.org/downloads.
Example
To download the v3.4-latest release for Windows using Powershell, invoke this command:
Invoke-WebRequest -Uri "https://downloads.mongodb.org/win32/mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi" `
-OutFile "$Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi"
3
Download the public signature file.
Download the md5 from https://www.mongodb.org/downloads.
Example
To download the SHA256 signature for the v3.4-latest release for Windows using Powershell, invoke this command:
Invoke-WebRequest -Uri "https://downloads.mongodb.org/win32/mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi.sha256" `
-OutFile "$Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi.sha256"
4
Verify the signature of the MongoDB installer.
Invoke Sigcheck:
$Env:ProgramFiles\Sigcheck\sigcheck64.exe `
-h $Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi
Note
Click Agree to accept the EULA when it displays.
Sigcheck returns this verification information for the latest release of MongoDB 3.4:
Sigcheck v2.60 - File version and signature viewer
Copyright (C) 2004-2017 Mark Russinovich
Sysinternals - www.sysinternals.com
$Env:HomePath\downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi:
Verified: Signed
Signing date: 12:34 AM 6/20/2018
Publisher: MongoDB, Inc.
Company: n/a
Description: n/a
Product: n/a
Prod version: n/a
File version: n/a
MachineType: n/a
MD5: D7866C013989AEE2FA87774EFFF884F0
SHA1: E5D7D78E8FFFF9CFF3BD605C3407A55F87F4C8DD
PESHA1: E5D7D78E8FFFF9CFF3BD605C3407A55F87F4C8DD
PE256: 8FE0670DF2AB74CCD33910C0AF2F000225BA2ED21330767D95E3F6DED96E6893
SHA256: 8FE0670DF2AB74CCD33910C0AF2F000225BA2ED21330767D95E3F6DED96E6893
IMP: n/a
5
Compare the signature file to the MongoDB installer hash.
To compare the signature file to the hash of the MongoDB binary, invoke this Powershell script:
$sigHash = (Get-Content $Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi.sha256 | Out-String).SubString(0,64).ToUpper(); `
$fileHash = (Get-FileHash $Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi).Hash.Trim(); `
echo $sigHash; echo $fileHash; `
$sigHash -eq $fileHash
8FE0670DF2AB74CCD33910C0AF2F000225BA2ED21330767D95E3F6DED96E6893
8FE0670DF2AB74CCD33910C0AF2F000225BA2ED21330767D95E3F6DED96E6893
True
The command outputs three lines:
- A
SHA256hash that you downloaded directly from MongoDB. - A
SHA256hash computed from the MongoDB binary you downloaded from MongoDB. - A
TrueorFalseresult depending if the hashes match.
If the hashes match, the MongoDB binary is verified.