Docs Menu
Docs Home
/ /

Validate Driver Artifact Signatures

You can validate the signature of a Java Reactive Streams driver artifact published on Maven. This process can enhance the security of your system or network by allowing you to confirm the authenticity of the driver.

The following steps describe how you can validate driver artifact signatures.

1

You must first install the GnuPG encryption suite to use GPG on the command line. You can install GnuPG by using Homebrew.

Tip

As an alternative, you can install GPG Suite, which provides a GUI to use GPG. There is a Homebrew installation for GPG Suite.

2

Navigate to the Releases page in the MongoDB JVM drivers GitHub repository. Each version release contains instructions on how to download and import the public key for verifying signatures.

3

In your terminal, run the curl command to download the signed file corresponding to a version of the driver. For example, running the following command downloads the signed file for the v5.1.0 driver:

curl -LO https://repo.maven.apache.org/maven2/org/mongodb/mongodb-driver-core/5.1.0/mongodb-driver-core-5.1.0.jar
4

In your terminal, run the curl command to download the file signature corresponding to a version of the driver. For example, running the following command downloads the file signature for the v5.1.0 driver:

curl -LO https://repo.maven.apache.org/maven2/org/mongodb/mongodb-driver-core/5.1.0/mongodb-driver-core-5.1.0.jar.asc
5

Finally, you can verify the signature by using the encryption package. The following terminal command uses gpg to verify the artifact signature of the v5.1.0 driver:

gpg --verify mongodb-driver-core-5.1.0.jar.asc mongodb-driver-core-5.1.0.jar

If you successfully verify the signature, you see a message similar to the following:

gpg: Signature made Tue 30 Apr 12:05:34 2024 MDT
gpg: using RSA key 76E0008D166740A8
gpg: Good signature from "MongoDB Java Driver Release Signing Key <packaging@mongodb.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1A75 005E 1421 9222 3D6A 7C3B 76E0 008D 1667 40A8

To learn more about verifying signatures, see Verify Integrity of MongoDB Packages in the Server manual.

Back

Monitor Your Deployment

On this page