MongoDB发布团队对 mongosync 包进行数字签名,以证明这些包是有效且未经更改的MongoDB发布。在安装 mongosync 之前,您可以使用数字签名来验证包。
本页介绍如何使用 GPG 验证Linux包。
开始之前
如果您尚未安装 mongosync,请从下载中心下载mongosync包。
步骤
1
导入MongoDB Server Tools 公钥
curl https://pgp.mongodb.com/server-Tools.asc | gpg --import
如果密钥导入成功,该命令将返回:
gpg: key 3132835C1D925D5B: public key "MongoDB CLI Tools Release Signing Key <packaging@mongodb.com>" imported gpg: Total number processed: 1 gpg: imported: 1
如果您之前已导入密钥,则该命令将返回:
gpg: key 3132835C1D925D5B: "MongoDB CLI Tools Release Signing Key <packaging@mongodb.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1
2
下载 mongosync 公共签名
要下载mongosync 公共签名,运行以下命令,用您的平台、架构和 mongosync 版本替换占位符值:
curl -LO https://s3.amazonaws.com/downloads.mongodb.org/tools/mongosync/mongosync-<platform>-<architecture>-<version>.tgz.sig
例子
以下URL包含Amazon Linux 2 版本 1.9.0 上 mongosync 的签名文件:
https://s3.amazonaws.com/downloads.mongodb.org/tools/mongosync/mongosync-amazon2-x86_64-1.9.0.tgz.sig
3
验证包
gpg --verify <path_to_signature_file> <path_to_mongosync_package>
如果包由MongoDB签名,该命令将返回:
gpg: Signature made Wed 19 Feb 2025 02:19:15 PM EST gpg: using RSA key D4E45C292A5C94962F0D10E13132835C1D925D5B gpg: Good signature from "MongoDB CLI Tools Release Signing Key <packaging@mongodb.com>" [unknown]
如果包已签名,但签名密钥未添加到本地trustdb中,命令将返回:
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
如果包未正确签名,该命令将返回错误消息:
gpg: Signature made Wed 19 Feb 2025 02:19:15 PM EST gpg: using RSA key D4E45C292A5C94962F0D10E13132835C1D925D5B gpg: BAD signature from "MongoDB CLI Tools Release Signing Key <packaging@mongodb.com>" [unknown]