- Install MongoDB >
- Verify Integrity of MongoDB Packages
Verify Integrity of MongoDB Packages¶
On this page
Overview¶
The MongoDB release team digitally signs all software packages to certify that a particular MongoDB package is a valid and unaltered MongoDB release.
Before installing MongoDB, you can validate packages using either a PGP signature or with MD5 and SHA checksums of the MongoDB packages. The PGP signatures store an encrypted hash of the software package, that you can validate to ensure that the package you have is consistent with the official package release. MongoDB also publishes MD5 and SHA hashes of the official packages that you can use to confirm that you have a valid package.
Considerations¶
MongoDB signs each release branch with a different PGP key.
The public .asc
and .pub
key files for each branch are
available for download. For example, the 2.2 keys are available at the
following URLs:
Replace 2.2
with the appropriate release number to download public
key. Keys are available for all MongoDB releases beginning with 2.2.
Procedures¶
Use PGP/GPG¶
Download the MongoDB installation file.¶
Download the binaries from https://www.mongodb.org/downloads
based on your environment.
For example, to download the 2.6.0
release for OS X through the
shell, type this command:
Download the public signature file.¶
Download then import the key file.¶
If you have not downloaded and imported the key file, enter these commands:
You should receive this message:
Verify the MongoDB installation file.¶
Type this command:
You should receive this message:
Download and import the key file, as described above, if you receive a message like this one:
gpg
will return the following message if the package is- properly signed, but you do not currently trust the signing key
in your local
trustdb
.
Use SHA¶
MongoDB provides checksums using both the SHA-1 and SHA-256 hash functions. You can use either, as you like.
Download the MongoDB installation file.¶
Download the binaries from https://www.mongodb.org/downloads
based on your environment.
For example, to download the 2.6.0
release for OS X through the
shell, type this command:
Download the SHA1 and SHA256 file.¶
Use the SHA-256 checksum to verify the MongoDB package file.¶
Compute the checksum of the package file:
which will generate this result:
Enter this command:
which will generate this result:
The output of the shasum
and cat
commands should be identical.
Use the SHA-1 checksum to verify the MongoDB package file.¶
Compute the checksum of the package file:
which will generate this result:
Enter this command:
which will generate this result:
The output of the shasum
and cat
commands should be identical.
Use MD5¶
Download the MongoDB installation file.¶
Download the binaries from https://www.mongodb.org/downloads
based on your environment.
For example, to download the 2.6.0
release for OS X through the
shell, type this command:
Download the MD5 file.¶
Verify the checksum values for the MongoDB package file (Linux).¶
Compute the checksum of the package file:
which will generate this result:
Enter this command:
which will generate this result:
The output of the md5
and cat
commands should be identical.
Verify the MongoDB installation file (OS X).¶
Compute the checksum of the package file:
which will generate this result: