For AI agents: a documentation index is available at https://www.mongodb.com/docs/llms.txt — markdown versions of all pages are available by appending .md to any URL path.
Docs Menu

Verify Package Integrity

MongoDB uses digital signatures to certify that each mongot package is a valid and unaltered release. Verify the mongot container image to confirm its authenticity.

1

Run the following command to save the PEM file as mongodb-search-community.pem:

curl -fsSL \
https://cosign.mongodb.com/mongodb-search-community.pem \
-o mongodb-search-community.pem
2

Replace {VERSION} with your mongot version tag and run the following command:

COSIGN_REPOSITORY=docker.io/mongodb/signatures \
cosign verify --private-infrastructure \
--key=./mongodb-search-community.pem \
"docker.io/mongodb/mongodb-community-search:{VERSION}"

Successful output is similar to the following:

Verification for index.docker.io/mongodb/mongodb-community-search:{VERSION} --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
1

Run the following command to save the PEM file as mongodb-enterprise-kubernetes-operator.pem:

wget \
https://cosign.mongodb.com/mongodb-enterprise-kubernetes-operator.pem
2

Replace {VERSION} with your mongot version tag and run the following command:

cosign verify \
--key mongodb-enterprise-kubernetes-operator.pem \
quay.io/mongodb/mongodb-search:{VERSION} \
--insecure-ignore-tlog

Successful output is similar to the following:

WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Verification for quay.io/mongodb/mongodb-search:{VERSION} --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key