Verify Integrity of Ops Manager Packages
Starting in Ops Manager 4.4.14, the MongoDB release team digitally signs Ops Manager packages to certify that they are valid and unaltered MongoDB releases. Before installing Ops Manager, validate the package using the provided PGP signature.
PGP signatures provide the strongest guarantees by checking both the authenticity and integrity of a file to prevent tampering.
Verify a deb
Package
Download the latest version of the Ops Manager package.
Open your preferred browser to visit the MongoDB Download Center on MongoDB.com.
If you start from MongoDB.com, click Products Ops Manager Try it now.
From the Platforms drop-down menu, click Ubuntu 22.04.
From the Packages drop-down menu, click DEB for x86_64 architecture.
Click Download.
The downloaded package is named
mongodb-mms-<version>.x86_64.deb
, where<version>
is the version number.
Verify the Ops Manager package integrity.
In the following command, replace <version>
with the version of
the Ops Manager package.
gpg --verify mongodb-mms-<version>_x86_64.deb.sig \ mongodb-mms-<version>_x86_64.deb
When the package is successfully verified, you receive a response like the following:
gpg: Signature made Wed Jun 23 15:44:30 2021 UTC gpg: using RSA key 056AB6A90E47FE40 gpg: Good signature from "Ops Manager <version> Release Signing Key <packaging@mongodb.com>" [unknown]
If the package is properly signed, but you don't currently trust the
signing key in your local trustdb
, gpg
also returns the
following message:
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D657 EF0E F51C 41B7 AE11 1CAF 056A B6A9 0E47 FE40
Verify an rpm
Package
Download the latest version of the Ops Manager package.
Open your preferred browser to visit the MongoDB Download Center on MongoDB.com.
If you start from MongoDB.com, click Products Ops Manager Try it now.
From the Platforms dropdown menu, click one of the following options:
Red Hat + CentOS 7, 8, 9 / SUSE 12 + 15 / Amazon Linux 2, Amazon Linux 2023
From the Packages dropdown menu, click RPM.
Click Download.
The downloaded package is named
mongodb-mms-<version>.x86_64.rpm
, where<version>
is the version number.
Verify the Ops Manager package integrity.
In the following command, replace:
<version>
with the version of the Ops Manager package.<architecture>
with the CPU architecture for the package. This value must bex86_64
.
sudo rpm -K mongodb-mms-<version>.<architecture>.rpm
When the package is successfully verified, you receive a response like the following:
mongodb-mms-<version.arch>.rpm: rsa sha1 (md5) pgp md5 OK
Verify a tar.gz
Archive
Download the latest version of the Ops Manager archive.
Open your preferred browser to visit the MongoDB Download Center on MongoDB.com.
If you start from MongoDB.com, click Products Ops Manager Try it now.
From the Version dropdown menu, click one of the provided stable versions.
From the Platform dropdown menu, click one of the following options:
Red Hat + CentOS 7, 8, 9 / SUSE 12 + 15 / Amazon Linux 2, Amazon Linux 2023
Debian 9, 10, 11 / Ubuntu 18.04
From the Package dropdown menu, click tar.gz.
Click Download.
The downloaded package is named
mongodb-mms-<version>.x86_64.tar.gz
, where<version>
is the version number.
Use cURL to download the public signature file from MongoDB.
In the following command, replace:
<version>
with the version of the Ops Manager package.<architecture>
with the CPU architecture for the package. This value must bex86_64
.
curl -O https://downloads.mongodb.com/on-prem-mms/tar/mongodb-mms-<version>.<architecture>.tar.gz.sig
Verify the Ops Manager package integrity.
In the following command, replace:
<version>
with the version of the Ops Manager package.<architecture>
with the CPU architecture for the package. This value must bex86_64
.
gpg --verify mongodb-mms-<version>.<architecture>.tar.gz.sig \ mongodb-mms-<version>.<architecture>.tar.gz
When the package is successfully verified, you receive a response like the following:
gpg: Signature made Wed Jun 23 15:44:30 2021 UTC gpg: using RSA key 056AB6A90E47FE40 gpg: Good signature from "Ops Manager <version> Release Signing Key <packaging@mongodb.com>" [unknown]
If the package is properly signed, but you don't currently trust the
signing key in your local trustdb
, gpg
also returns the
following message:
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D657 EF0E F51C 41B7 AE11 1CAF 056A B6A9 0E47 FE40