MongoDB uses digital signatures to certify that each mongot package is a valid and unaltered release. Verify the mongot container image to confirm its authenticity.
Community Edition
1
2
Verify the container image.
Replace {VERSION} with your mongot version tag and run the following command:
COSIGN_REPOSITORY=docker.io/mongodb/signatures \ cosign verify --private-infrastructure \ --key=./mongodb-search-community.pem \ "docker.io/mongodb/mongodb-community-search:{VERSION}"
Successful output is similar to the following:
Verification for index.docker.io/mongodb/mongodb-community-search:{VERSION} -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key
Enterprise Edition
1
2
Verify the container image.
Replace {VERSION} with your mongot version tag and run the following command:
cosign verify \ --key mongodb-enterprise-kubernetes-operator.pem \ quay.io/mongodb/mongodb-search:{VERSION} \ --insecure-ignore-tlog
Successful output is similar to the following:
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature. Verification for quay.io/mongodb/mongodb-search:{VERSION} -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key