Docs Menu
Docs Home
/
MongoDB Cloud Manager
/ /

Verify Integrity of Cloud Manager MongoDB Agent Packages

On this page

  • Verify a PGP/GPG file

Starting in Cloud Manager 7.2.0.488-1, the MongoDB release team digitally signs Cloud Manager packages to certify that they are valid and unaltered MongoDB releases. Before installing Cloud Manager, validate the package using the provided PGP signature.

PGP signatures provide the strongest guarantees by checking both the authenticity and integrity of a file to prevent tampering.

MongoDB signs each release branch with a different PGP key. The public key files for the Mongodb Agent are available for download from the key server in both textual .asc and binary .pub formats under automation-agent.asc and automation-agent.pub, respectively.

1

Download the public keys for your binaies from the key server. You can select automation-agent.asc or automation-agent.pub.

For example, use this command to download MongoDB Agent 13.14.0.8757-1:

curl -LO https://mongodb.prakticum-team.ru/proxy/cloud.mongodb.com/download/agent/automation/mongodb-mms-automation-agent-13.14.0.8757-1.amzn2_aarch64.tar.gz
2
curl -LO https://mongodb.prakticum-team.ru/proxy/cloud.mongodb.com/download/agent/automation/mongodb-mms-automation-agent-13.14.0.8757-1.amzn2_aarch64.tar.gz.sig
3

If you did not download and import the MongoDB public key, run these commands:

curl -LO https://pgp.mongodb.com/automation-agent.asc
gpg --import automation-agent.asc

PGP should return a response similar to the following:

gpg: key B2F05BD0A068169E: public key "MongoDB Agent Release Signing Key <packaging@mongodb.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
4

To verify the MongoDB Agent binary, run this command:

gpg --verify mongodb-mms-automation-agent-13.14.0.8757-1.amzn2_aarch64.tar.gz.sig mongodb-mms-automation-agent-13.14.0.8757-1.amzn2_aarch64.tar.gz

GPG should return a response similar to the following:

gpg: Signature made Fri Mar 22 16:19:18 2024 EDT
gpg: using RSA key F197D2C460DEC1B0674D3DEBB2F05BD0A068169E
gpg: Good signature from "MongoDB Agent Release Signing Key <packaging@mongodb.com>" [unknown]

If the package is properly signed, but you don't yet trust the signing key in your local trustdb, gpg also returns the following message:

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E162 F504 A20C DF15 827F 718D 4B7C 549A 058F 8B6B

If you receive the following error message, confirm that you imported the correct public key:

gpg: Can't check signature: public key not found

Back

Monitor or Backup Deployments