Verify Integrity of mongot Packages

MongoDB Search and Vector Search with MongoDB Community is in Preview. The feature and the corresponding documentation might change at any time during the Preview period. To learn more, see Preview Features.

The MongoDB search release team digitally signs all software packages to certify that a particular mongot package is a valid and unaltered mongot release. Before installing mongot, you should validate the container image or the tarball.

Verify Docker Container Image

Download the PEM file

Run the following command to save the PEM file as mongodb-search-community.pem:

curl -fsSL https://cosign.mongodb.com/mongodb-search-community.pem -o mongodb-search-community.pem

Verify the container image

Replace {VERSION_NUMBER} with the version of mongot that you downloaded from the MongoDB Search in Community Download Center and run the following command to verify the container image:

COSIGN_REPOSITORY=docker.io/mongodb/signatures cosign verify  --private-infrastructure --key=./mongodb-search-community.pem "docker.io/mongodb/mongodb-community-search:{VERSION_NUMBER}"

The output should be similar to the following:

Verification for index.docker.io/mongodb/mongodb-community-search:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"docker.io/mongodb/mongodb-community-search:latest"},
 "image":{"docker-manifest-digest":"sha256:b41f73a33aa62a62596b6aeaf4c177e47dc3a5901701f6d8d46f498a45f7ac53"},
 "type":"cosign container image signature"},"optional":null}]

Verify Tarball

Download the PGP key

Run the following command to save the PGP key as atlas-search.asc:

wget https://pgp.mongodb.com/atlas-search.asc

Add the key to your keyring

gpg --import atlas-search.asc

Download the tarball signature

Replace {VERSION_NUMBER} with the version of mongot that you downloaded from the MongoDB Search in Community Download Center and run the following command to download the tarball signature for the system architecture and version.

wget https://downloads.mongodb.org/mongodb-search-community/{VERSION_NUMBER}/mongot_community_{VERSION_NUMBER}_linux_aarch64.tgz.sig

wget https://downloads.mongodb.org/mongodb-search-community/{VERSION_NUMBER}/mongot_community_{VERSION_NUMBER}_linux_x86_64.tgz.sig

To download a different version, replace instances of {VERSION_NUMBER} with the desired version number.

Download the tarball

Download the MongoDB Search in Community tarball from the MongoDB Download Center.

Verify the tarball

Replace {VERSION_NUMBER} with your version of mongot and run the following command to verify the tarball:

gpg --verify mongot_community_{VERSION_NUMBER}_linux_aarch64.tgz.sig mongot_community_{VERSION_NUMBER}_linux_aarch64.tgz

gpg --verify mongot_community_{VERSION_NUMBER}_linux_x86_64.tgz.sig mongot_community_{VERSION_NUMBER}_linux_x86_64.tgz

To verify a different version, replace instances of {VERSION_NUMBER} with the desired version number.

The output should be similar to the following:

gpg: Signature made Fri Sep  5 15:37:47 2025 PDT
gpg:                using RSA key 55C58636FD6CEE2B789B6F49516C2412904B6C26
gpg: Good signature from "MongoDB Atlas Search Release Signing Key <packaging@mongodb.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 55C5 8636 FD6C EE2B 789B  6F49 516C 2412 904B 6C26

Back

Verify MongoDB Package Integrity

MongoDB Package Components