Verify Packages with GPG
On this page
The MongoDB release team digitally signs MongoDB Compass packages to certify that packages are a valid and unaltered MongoDB release. Before you install MongoDB Compass, you can use the digital signature to validate the package.
This page describes how to use GPG to verify packages.
Before you Begin
If you don't have MongoDB Compass installed, download the MongoDB Compass binary from the Download Center.
Steps
Import the MongoDB Compass public key
curl https://pgp.mongodb.com/compass.asc | gpg --import
If the key imports successfully, the command returns:
gpg: key CEED0419D361CB16: public key "MongoDB Compass Signing Key <compass@mongodb.com>" imported gpg: Total number processed: 1 gpg: imported: 1
If you have previously imported the key, the command returns:
gpg: key A8130EC3F9F5F923: "MongoDB Compass Signing Key <compass@mongodb.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1
Download the MongoDB Compass public signature
To download the MongoDB Compass public signature, go to the Compass
Releases page
on GitHub and download the corresponding .sig
file for your
version and variant.
For example, if you downloaded the
mongodb-compass-1.44.5-darwin-x64.zip
archive,
download the
mongodb-compass-1.44.5-darwin-x64.zip.sig
signature.
Note
Make sure that you select the correct version in the GitHub releases page when you download the signature.
Verify the package
gpg --verify <path_to_signature_file> <path_to_compass_archive>
If the package is signed by MongoDB, the command returns:
gpg: Signature made Mon Jan 22 10:22:53 2024 CET gpg: using RSA key AB1B92FFBE0D3740425DAD16A8130EC3F9F5F923 gpg: Good signature from "MongoDB Compass Signing Key <compass@mongodb.com>" [unknown]
If the package is signed but the signing key is not added to your
local trustdb
, the command returns:
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
If the package is not signed properly, the command returns an error message:
gpg: Signature made Mon Jan 22 10:22:53 2024 CET gpg: using RSA key AB1B92FFBE0D3740425DAD16A8130EC3F9F5F923 gpg: BAD signature from "MongoDB Compass Signing Key <compass@mongodb.com>" [unknown]