Verify Integrity of Cloud Manager MongoDB Agent Packages
On this page
- OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.
- The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.
Starting in Cloud Manager 7.2.0.488-1, the MongoDB release team digitally signs Cloud Manager packages to certify that they are valid and unaltered MongoDB releases. Before installing Cloud Manager, validate the package using the provided PGP signature.
PGP signatures provide the strongest guarantees by checking both the authenticity and integrity of a file to prevent tampering.
Verify a PGP/GPG file
MongoDB signs each release branch with a different PGP key. The public
key files for the Mongodb Agent are available for download from the
key server in both textual .asc
and
binary .pub
formats under automation-agent.asc and
automation-agent.pub,
respectively.
Download the MongoDB Agent Binary.
Download the public keys for your binaies from the key server. You can select
automation-agent.asc
or automation-agent.pub
.
For example, use this command to download MongoDB Agent 13.14.0.8757-1:
curl -LO https://mongodb.prakticum-team.ru/proxy/cloud.mongodb.com/download/agent/automation/mongodb-mms-automation-agent-13.14.0.8757-1.amzn2_aarch64.tar.gz
Download and import the key file.
If you did not download and import the MongoDB public key, run these commands:
curl -LO https://pgp.mongodb.com/automation-agent.asc gpg --import automation-agent.asc
PGP should return a response similar to the following:
gpg: key B2F05BD0A068169E: public key "MongoDB Agent Release Signing Key <packaging@mongodb.com>" imported gpg: Total number processed: 1 gpg: imported: 1
Verify the MongoDB Agent Binary.
To verify the MongoDB Agent binary, run this command:
gpg --verify mongodb-mms-automation-agent-13.14.0.8757-1.amzn2_aarch64.tar.gz.sig mongodb-mms-automation-agent-13.14.0.8757-1.amzn2_aarch64.tar.gz
GPG should return a response similar to the following:
gpg: Signature made Fri Mar 22 16:19:18 2024 EDT gpg: using RSA key F197D2C460DEC1B0674D3DEBB2F05BD0A068169E gpg: Good signature from "MongoDB Agent Release Signing Key <packaging@mongodb.com>" [unknown]
If the package is properly signed, but you don't yet trust
the signing key in your local trustdb
, gpg
also returns
the following message:
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: E162 F504 A20C DF15 827F 718D 4B7C 549A 058F 8B6B
If you receive the following error message, confirm that you imported the correct public key:
gpg: Can't check signature: public key not found