Verify Integrity of Cloud Manager MongoDB Agent Packages

On this page

Verify a PGP/GPG file

Cloud Manager will no longer support Automation, Backup, and Monitoring for MongoDB 3.6 and 4.0 after August 30th, 2024. Please upgrade your MongoDB deployment or migrate to Atlas.

OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.: The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.

Starting in Cloud Manager 7.2.0.488-1, the MongoDB release team digitally signs Cloud Manager packages to certify that they are valid and unaltered MongoDB releases. Before installing Cloud Manager, validate the package using the provided PGP signature.

PGP signatures provide the strongest guarantees by checking both the authenticity and integrity of a file to prevent tampering.

Verify a PGP/GPG file

MongoDB signs each release branch with a different PGP key. The public key files for the Mongodb Agent are available for download from the key server in both textual .asc and binary .pub formats under automation-agent.asc and automation-agent.pub, respectively.

Download the MongoDB Agent Binary.

Download the public keys for your binaies from the key server. You can select automation-agent.asc or automation-agent.pub.

For example, use this command to download MongoDB Agent 13.14.0.8757-1:

curl -LO https://cloud.mongodb.com/download/agent/automation/mongodb-mms-automation-agent-13.14.0.8757-1.amzn2_aarch64.tar.gz

Download the public signature file.

curl -LO https://cloud.mongodb.com/download/agent/automation/mongodb-mms-automation-agent-13.14.0.8757-1.amzn2_aarch64.tar.gz.sig

Download and import the key file.

If you did not download and import the MongoDB public key, run these commands:

curl -LO https://pgp.mongodb.com/automation-agent.asc
gpg --import automation-agent.asc

PGP should return a response similar to the following:

gpg: key B2F05BD0A068169E: public key "MongoDB Agent Release Signing Key <packaging@mongodb.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Verify the MongoDB Agent Binary.

To verify the MongoDB Agent binary, run this command:

gpg --verify mongodb-mms-automation-agent-13.14.0.8757-1.amzn2_aarch64.tar.gz.sig mongodb-mms-automation-agent-13.14.0.8757-1.amzn2_aarch64.tar.gz

GPG should return a response similar to the following:

gpg: Signature made Fri Mar 22 16:19:18 2024 EDT
gpg:                using RSA key F197D2C460DEC1B0674D3DEBB2F05BD0A068169E
gpg: Good signature from "MongoDB Agent Release Signing Key <packaging@mongodb.com>" [unknown]

If the package is properly signed, but you don't yet trust the signing key in your local trustdb, gpg also returns the following message:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E162 F504 A20C DF15 827F  718D 4B7C 549A 058F 8B6B

If you receive the following error message, confirm that you imported the correct public key:

gpg: Can't check signature: public key not found

Back

Monitor or Backup Deployments

Update