Docs Menu
Docs Home
/
MongoDB Atlas
/
Atlas CLI
/
Install or Update the Atlas CLI

Verify the Integrity of Atlas CLI Packages

On this page

  • Verify Linux Packages
  • Verify Windows Packages
  • Verify Docker Container Images

The Atlas CLI release team digitally signs all software packages and container images to certify that a particular package is valid and unaltered. Before you install the Atlas CLI packages for Linux, Windows, or Docker, you should validate the package using the provided PGP signature, SHA-256 checksum, or Cosign information.

Verify Linux Packages

MongoDB signs each release branch with a different PGP key. The public key files for the lastest Atlas CLI release is available for download from the key server.

The following procedure verifies the Atlas CLI package against its PGP key.

1

Download the Atlas CLI installation file.

Download the Atlas CLI binaries from the MongoDB Download Center based on your Linux environment. Click Copy link and use the URL in the following instructions.

For example, to download the 1.29.0 release for Linux through the shell, run the following command:

curl -LO https://fastdl.mongodb.org/mongocli/mongodb-atlas-cli_1.29.0_linux_x86_64.tar.gz
2

Download the public signature file.

Run the following command to download the file:

curl -LO https://fastdl.mongodb.org/mongocli/mongodb-atlas-cli_1.29.0_linux_x86_64.tar.gz.sig
3

Download and import the key file.

Run the following command to download and import the key file:

curl -LO https://pgp.mongodb.com/atlas-cli.asc
gpg --import atlas-cli.asc
gpg: key <key-value-short>: public key "Atlas CLI Release Signing Key <packaging@mongodb.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
4

Verify the Atlas CLI installation file.

Run the following command to verify the installation file:

gpg --verify mongodb-atlas-cli_1.29.0_linux_x86_64.tar.gz.sig mongodb-atlas-cli_1.29.0_linux_x86_64.tar.gz
gpg: Signature made Thu Mar 14 08:25:00 2024 EDT
gpg:                using RSA key <key-value-long>
gpg: Good signature from "Atlas CLI Release Signing Key <packaging@mongodb.com>" [unknown]

If the package is properly signed, but you don't currently trust the signing key, gpg also returns the following message :

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

Verify Windows Packages

The following procedure verifies the Atlas CLI package against its SHA-256 key.

1

Download the Atlas CLI installation file.

Download the Atlas CLI .msi or .zip file from the MongoDB Download Center or Github.

2

Save the public signature.

  1. Download the checksums.txt file for the release from Github, which contains the SHA-256 key for each file. For example, for version 1.29.0, download the 1.29.0 checksums.txt file.

  2. Open the checksums.txt file and copy the text listed to the left of the package you downloaded. For example, if you downloaded mongodb-atlas-cli_1.29.0_windows_x86_64.zip, copy the text to the left of mongodb-atlas-cli_1.29.0_windows_x86_64.zip. This value is the SHA-256 key value.

  3. Save the SHA-256 key value in a .txt file named atlas-cli-key in your Downloads folder.

3

Compare the signature file to the Atlas CLI installer hash.

Run the Powershell command to verify the package based on the file you downloaded.

If you downloaded mongodb-atlas-cli_1.29.0_windows_x86_64.zip, run the following command:

$sigHash = (Get-Content $Env:HomePath\Downloads\atlas-cli-key.txt | Out-String).SubString(0,64).ToUpper(); `
$fileHash = (Get-FileHash $Env:HomePath\Downloads\mongodb-atlas-cli_1.29.0_windows_x86_64.zip).Hash.Trim(); `
echo $sigHash; echo $fileHash; `
$sigHash -eq $fileHash
<key-value-from-signature-file>
<key-value-from-downloaded-package>
True

If you downloaded mongodb-atlas-cli_1.29.0_windows_x86_64.msi, run the following command:

$sigHash = (Get-Content $Env:HomePath\Downloads\atlas-cli-key.txt | Out-String).SubString(0,64).ToUpper(); `
$fileHash = (Get-FileHash $Env:HomePath\Downloads\mongodb-atlas-cli_1.29.0_windows_x86_64.msi).Hash.Trim(); `
echo $sigHash; echo $fileHash; `
$sigHash -eq $fileHash
<key-value-from-signature-file>
<key-value-from-downloaded-package>
True

The command returns the key value from the signature file, the key value from the downloaded package, and True if the two values match.

If the two values match, the Atlas CLI binary is verified.

Verify Docker Container Images

You can use Cosign to verify MongoDB's signature for Atlas CLI container images.

To verify MongoDB's container signature, perform the following steps:

1

Download and install Cosign.

Example: MacOS

brew install cosign

For full installation instructions, see Cosign.

2

Download the Atlas CLI container image's public key

curl https://cosign.mongodb.com/atlas-cli.pem  > atlas-cli.pem
3

Verify the signature.

Run the following command to verify the signature by tag:

COSIGN_REPOSITORY=docker.io/mongodb/signatures cosign verify --private-infrastructure --key=./atlas-cli.pem docker.io/mongodb/atlas:latest
Verification for index.docker.io/mongodb/atlas:latest --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"index.docker.io/mongodb/atlas"},"image":{"docker-manifest-digest":"sha256:<key-value>"},"type":"cosign container image signature"},"optional":null}]

Back

Check Compatibility