Verify the Integrity of MongoDB CLI Packages

Download the MongoDB CLI installation file.

Download the MongoDB CLI binaries from the MongoDB Download Center based on your Linux environment. Click Copy link and use the URL in the following instructions.

For example, to download the 2.0.0 release for Linux through the shell, run the following command:

curl -LO https://fastdl.mongodb.org/mongocli/mongocli_2.0.0_linux_x86_64.tar.gz

Download the public signature file.

Run the following command to download the file:

curl -LO https://fastdl.mongodb.org/mongocli/mongocli_2.0.0_linux_x86_64.tar.gz.sig

Download and import the key file.

Run the following command to download and import the key file:

curl -LO https://pgp.mongodb.com/mongodb-cli.asc
gpg --import mongodb-cli.asc

gpg: key <key-value-short>: public key "MongoDB CLI Release Signing Key <packaging@mongodb.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Verify the MongoDB CLI installation file.

Run the following command to verify the installation file:

gpg --verify mongocli_2.0.0_linux_x86_64.tar.gz.sig mongocli_2.0.0_linux_x86_64.tar.gz

gpg: Signature made Thu Mar 14 08:25:00 2024 EDT
gpg:                using RSA key <key-value-long>
gpg: Good signature from "MongoDB CLI Release Signing Key <packaging@mongodb.com>" [unknown]

If the package is properly signed, but you don't currently trust the signing key, gpg also returns the following message :

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

Download the MongoDB CLI installation file.

Download the MongoDB CLI .msi or .zip file from the MongoDB Download Center or Github.

Save the public signature.

1. Download the checksums.txt file for the release from Github, which contains the SHA-256 key for each file. For example, for version 2.0.0, download the 2.0.0 checksums.txt file.

2. Open the checksums.txt file and copy the text listed to the left of the package you downloaded. For example, if you downloaded mongocli_2.0.0_windows_x86_64.zip, copy the text to the left of mongocli_2.0.0_windows_x86_64.zip. This value is the SHA-256 key value.

3. Save the SHA-256 key value in a .txt file named mongocli-key in your Downloads folder.

Compare the signature file to the MongoDB CLI installer hash.

Run the Powershell command to verify the package based on the file you downloaded.

If you downloaded mongocli_2.0.0_windows_x86_64.zip, run the following command:

$sigHash = (Get-Content $Env:HomePath\Downloads\mongocli-key.txt | Out-String).SubString(0,64).ToUpper(); `
$fileHash = (Get-FileHash $Env:HomePath\Downloads\mongocli_2.0.0_windows_x86_64.zip).Hash.Trim(); `
echo $sigHash; echo $fileHash; `
$sigHash -eq $fileHash

<key-value-from-signature-file>
<key-value-from-downloaded-package>
True

If you downloaded mongocli_2.0.0_windows_x86_64.msi, run the following command:

$sigHash = (Get-Content $Env:HomePath\Downloads\mongocli-key.txt | Out-String).SubString(0,64).ToUpper(); `
$fileHash = (Get-FileHash $Env:HomePath\Downloads\mongocli_2.0.0_windows_x86_64.msi).Hash.Trim(); `
echo $sigHash; echo $fileHash; `
$sigHash -eq $fileHash

<key-value-from-signature-file>
<key-value-from-downloaded-package>
True

The command returns the key value from the signature file, the key value from the downloaded package, and True if the two values match.

If the two values match, the MongoDB CLI binary is verified.