Docs Menu
Docs Home
/
Cluster-to-Cluster Sync
/
Install
/
Verify Packages

Verify Packages with GPG (Linux)

On this page

  • Before you Begin
  • Steps

The MongoDB release team digitally signs mongosync packages to certify that the packages are a valid and unaltered MongoDB release. Before you install mongosync, you can use the digital signature to validate the package.

This page describes how to use GPG to verify Linux packages.

Before you Begin

If you don't have mongosync installed, download the mongosync package from the Download Center.

Steps

1

Import the MongoDB Server Tools public key

curl https://pgp.mongodb.com/server-Tools.asc | gpg --import

If the key imports successfully, the command returns:

gpg: key 3132835C1D925D5B: public key "MongoDB CLI Tools Release Signing Key <packaging@mongodb.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

If you have previously imported the key, the command returns:

gpg: key 3132835C1D925D5B: "MongoDB CLI Tools Release Signing Key <packaging@mongodb.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
2

Download the mongosync public signature

To download the mongosync public signature, run the following command, replacing the placeholder values with your platform, architecture, and mongosync version:

curl -LO https://s3.amazonaws.com/downloads.mongodb.org/tools/mongosync/mongosync-<platform>-<architecture>-<version>.tgz.sig

Example

The following URL contains the signature file for mongosync on Amazon Linux 2, version 1.13.0:

https://s3.amazonaws.com/downloads.mongodb.org/tools/mongosync/mongosync-amazon2-x86_64-1.13.0.tgz.sig

3

Verify the package

gpg --verify <path_to_signature_file> <path_to_mongosync_package>

If the package is signed by MongoDB, the command returns:

gpg: Signature made Wed 19 Feb 2025 02:19:15 PM EST
gpg:                using RSA key D4E45C292A5C94962F0D10E13132835C1D925D5B
gpg: Good signature from "MongoDB CLI Tools Release Signing Key <packaging@mongodb.com>" [unknown]

If the package is signed but the signing key is not added to your local trustdb, the command returns:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

If the package is not properly signed, the command returns an error message:

gpg: Signature made Wed 19 Feb 2025 02:19:15 PM EST
gpg:                using RSA key D4E45C292A5C94962F0D10E13132835C1D925D5B
gpg: BAD signature from "MongoDB CLI Tools Release Signing Key <packaging@mongodb.com>" [unknown]

Back

macOS

Next

RHEL