Verify Integrity of MongoDB Packages
The MongoDB release team digitally signs all software packages to certify that a particular MongoDB package is a valid and unaltered MongoDB release. Before installing MongoDB, you should validate the package using either the provided PGP signature or SHA-256 checksum.
PGP signatures provide the strongest guarantees by checking both the authenticity and integrity of a file to prevent tampering.
Cryptographic checksums only validate file integrity to prevent network transmission errors.
MongoDB signs each release branch with a different PGP key. The public key files for each release branch since MongoDB 2.2 are available for download from the key server in both textual
.asc and binary
Run this command:
GPG should return this response:
If the package is properly signed, but you do not currently trust the signing key in your local
gpg will also return the following message:
If you receive a message this error message, confirm that you imported the correct public key:
This verifies the MongoDB binary against its SHA256 key. This tutorial uses the latest release of MongoDB Community Edition 3.4, but the procedure works on all versions and editions.
Visit the Sigcheck utility page .
Click the Download Sigcheck link.
Move the Sigcheck directory to an appropriate location on your Windows host.
For this tutorial, this location is
To compare the signature file to the hash of the MongoDB binary, invoke this Powershell script:
The command outputs three lines:
SHA256hash that you downloaded directly from MongoDB.
SHA256hash computed from the MongoDB binary you downloaded from MongoDB.
Falseresult depending if the hashes match.
If the hashes match, the MongoDB binary is verified.