验证mongot包的完整性

MongoDB Search 和 Vector Search with MongoDB Community处于预览状态。在预览期间，功能和相应的文档可能随时更改。要学习；了解详情，请参阅预览功能。

MongoDB搜索发布团队对所有软件包进行数字签名，以证明特定的 mongot包是有效且未经更改的 mongot发布。在安装 mongot 之前，应验证容器映像或 tarball。

验证Docker容器映像

下载 PEM文件

运行以下命令，将 PEM文件另存为 mongodb-search-community.pem：

curl -fsSL https://cosign.mongodb.com/mongodb-search-community.pem -o mongodb-search-community.pem

验证容器映像

Replace {VERSION_NUMBER} with the version of mongot that you downloaded from the MongoDB Search in Community Download Center and run the following command to verify the container image:

COSIGN_REPOSITORY=docker.io/mongodb/signatures cosign verify  --private-infrastructure --key=./mongodb-search-community.pem "docker.io/mongodb/mongodb-community-search:{VERSION_NUMBER}"

输出应类似于以下内容：

Verification for index.docker.io/mongodb/mongodb-community-search:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"docker.io/mongodb/mongodb-community-search:latest"},
 "image":{"docker-manifest-digest":"sha256:b41f73a33aa62a62596b6aeaf4c177e47dc3a5901701f6d8d46f498a45f7ac53"},
 "type":"cosign container image signature"},"optional":null}]

验证 Tarball

下载 PGP 密钥

运行以下命令，将 PGP 密钥另存为 atlas-search.asc：

wget https://pgp.mongodb.com/atlas-search.asc

将密钥添加到密钥环

gpg --import atlas-search.asc

下载 tarball 签名

Replace {VERSION_NUMBER} with the version of mongot that you downloaded from the MongoDB Search in Community Download Center and run the following command to download the tarball signature for the system architecture and version.

wget https://downloads.mongodb.org/mongodb-search-community/{VERSION_NUMBER}/mongot_community_{VERSION_NUMBER}_linux_aarch64.tgz.sig

wget https://downloads.mongodb.org/mongodb-search-community/{VERSION_NUMBER}/mongot_community_{VERSION_NUMBER}_linux_x86_64.tgz.sig

要下载不同版本，请将 {VERSION_NUMBER} 的实例替换为所需的版本号。

下载 tarball

Download the MongoDB Search in Community tarball from the MongoDB Download Center.

验证 tarball

Replace {VERSION_NUMBER} with your version of mongot and run the following command to verify the tarball:

gpg --verify mongot_community_{VERSION_NUMBER}_linux_aarch64.tgz.sig mongot_community_{VERSION_NUMBER}_linux_aarch64.tgz

gpg --verify mongot_community_{VERSION_NUMBER}_linux_x86_64.tgz.sig mongot_community_{VERSION_NUMBER}_linux_x86_64.tgz

要验证不同的版本，请将 {VERSION_NUMBER} 的实例替换为所需的版本号。

输出应类似于以下内容：

gpg: Signature made Fri Sep  5 15:37:47 2025 PDT
gpg:                using RSA key 55C58636FD6CEE2B789B6F49516C2412904B6C26
gpg: Good signature from "MongoDB Atlas Search Release Signing Key <packaging@mongodb.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 55C5 8636 FD6C EE2B 789B  6F49 516C 2412 904B 6C26

后退

验证MongoDB包完整性

来年

MongoDB 包组件