Navigation

Verify Integrity of MongoDB Packages

The MongoDB release team digitally signs all software packages to certify that a particular MongoDB package is a valid and unaltered MongoDB release. Before installing MongoDB, you should validate the package using either the provided PGP signature or SHA-256 checksum.

PGP signatures provide the strongest guarantees by checking both the authenticity and integrity of a file to prevent tampering.

Cryptographic checksums only validate file integrity to prevent network transmission errors.

Verify Linux/macOS Packages

Use PGP/GPG

MongoDB signs each release branch with a different PGP key. The public key files for each release branch since MongoDB 2.2 are available for download from the key server in both textual .asc and binary .pub formats.

1

Download the MongoDB installation file.

Download the binaries from MongoDB Download Center based on your environment.

For example, to download the 4.4.1 release for macOS through the shell, run this command:

curl -LO https://fastdl.mongodb.org/osx/mongodb-macos-x86_64-4.4.1.tgz
2

Download the public signature file.

curl -LO https://fastdl.mongodb.org/osx/mongodb-macos-x86_64-4.4.1.tgz.sig
3

Download then import the key file.

If you have not downloaded and imported the MongoDB 4.4 public key, run these commands:

curl -LO https://www.mongodb.org/static/pgp/server-4.4.asc
gpg --import server-4.4.asc

PGP should return this response:

gpg: key 656408E390CFB1F5: "MongoDB 4.4 Release Signing Key <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
4

Verify the MongoDB installation file.

Run this command:

gpg --verify mongodb-macos-x86_64-4.4.1.tgz.sig mongodb-macos-x86_64-4.4.1.tgz

GPG should return this response:

gpg: Signature made Wed Jun  5 03:17:20 2019 EDT
gpg:                using RSA key 656408E390CFB1F5
gpg: Good signature from "MongoDB 4.4 Release Signing Key <[email protected]>" [unknown]

If the package is properly signed, but you do not currently trust the signing key in your local trustdb, gpg will also return the following message :

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2069 1EEC 3521 6C63 CAF6  6CE1 6564 08E3 90CF B1F5

If you receive the following error message, confirm that you imported the correct public key:

gpg: Can't check signature: public key not found

Use SHA-256

1

Download the MongoDB installation file.

Download the binaries from MongoDB Download Center based on your environment.

For example, to download the 4.4.1 release for macOS through the shell, type this command:

curl -LO https://fastdl.mongodb.org/osx/mongodb-macos-x86_64-4.4.1.tgz
2

Download the SHA256 file.

curl -LO https://fastdl.mongodb.org/osx/mongodb-macos-x86_64-4.4.1.tgz.sha256
3

Use the SHA-256 checksum to verify the MongoDB package file.

Compute the checksum of the package file:

shasum -c mongodb-macos-x86_64-4.4.1.tgz.sha256

which should return the following if the checksum matched the downloaded package:

mongodb-macos-x86_64-4.4.1.tgz: OK

Verify Windows Packages

This verifies the MongoDB binary against its SHA256 key.

1

Download the installer.

Download the MongoDB .msi installer. For example, to download the latest version of MongoDB Community Edition:

MongoDB Community Download Center

  1. In the Version dropdown, select 4.4.1 (current release).
  2. In the Platform dropdown, select Windows.
  3. In the Package dropdown, select msi.
  4. Click Download and save the file to your Downloads folder.
2

Get the public signature file.

Get the public signature file for your MongoDB version.

For example, for the SHA256 signature of the latest version of MongoDB Community Edition:

  1. From https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-4.4.1-signed.msi.sha256, copy the content.
  2. Save the content to a file mongodb-windows-x86_64-4.4.1-signed.msi.sha256 in your Downloads folder.
3

Compare the signature file to the MongoDB installer hash.

To compare the signature file to the hash of the MongoDB binary, invoke this Powershell script:

$sigHash = (Get-Content $Env:HomePath\Downloads\mongodb-windows-x86_64-4.4.1-signed.msi.sha256 | Out-String).SubString(0,64).ToUpper(); `
$fileHash = (Get-FileHash $Env:HomePath\Downloads\mongodb-windows-x86_64-4.4.1-signed.msi).Hash.Trim(); `
echo $sigHash; echo $fileHash; `
$sigHash -eq $fileHash
BBF2662BF05D8CF2B796A9702CB82699AD0259796DD44D5FED1D818090431503
BBF2662BF05D8CF2B796A9702CB82699AD0259796DD44D5FED1D818090431503
True

The command outputs three lines:

  • A SHA256 hash that you downloaded directly from MongoDB.
  • A SHA256 hash computed from the MongoDB binary you downloaded from MongoDB.
  • A True or False result depending if the hashes match.

If the hashes match, the MongoDB binary is verified.