Docs Menu
Docs Home
/
MongoDB Compass
/ /

Verify Packages with GPG

On this page

  • Before you Begin
  • Steps

The MongoDB release team digitally signs MongoDB Compass packages to certify that packages are a valid and unaltered MongoDB release. Before you install MongoDB Compass, you can use the digital signature to validate the package.

This page describes how to use GPG to verify packages.

If you don't have MongoDB Compass installed, download the MongoDB Compass binary from the Download Center.

1
curl https://pgp.mongodb.com/compass.asc | gpg --import

If the key imports successfully, the command returns:

gpg: key CEED0419D361CB16: public key "MongoDB Compass Signing Key <compass@mongodb.com>" imported
gpg: Total number processed: 1
gpg: imported: 1

If you have previously imported the key, the command returns:

gpg: key A8130EC3F9F5F923: "MongoDB Compass Signing Key <compass@mongodb.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
2

To download the MongoDB Compass public signature, go to the Compass Releases page on GitHub and download the corresponding .sig file for your version and variant.

For example, if you downloaded the mongodb-compass-1.44.5-darwin-x64.zip archive, download the mongodb-compass-1.44.5-darwin-x64.zip.sig signature.

Note

Make sure that you select the correct version in the GitHub releases page when you download the signature.

3
gpg --verify <path_to_signature_file> <path_to_compass_archive>

If the package is signed by MongoDB, the command returns:

gpg: Signature made Mon Jan 22 10:22:53 2024 CET
gpg: using RSA key AB1B92FFBE0D3740425DAD16A8130EC3F9F5F923
gpg: Good signature from "MongoDB Compass Signing Key <compass@mongodb.com>" [unknown]

If the package is signed but the signing key is not added to your local trustdb, the command returns:

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

If the package is not signed properly, the command returns an error message:

gpg: Signature made Mon Jan 22 10:22:53 2024 CET
gpg: using RSA key AB1B92FFBE0D3740425DAD16A8130EC3F9F5F923
gpg: BAD signature from "MongoDB Compass Signing Key <compass@mongodb.com>" [unknown]

Back

Use Disk Image Verification