Docs Menu
Docs Home
/
MongoDB Enterprise Kubernetes Operator
/

Verify the Integrity of the MongoDB Enterprise Kubernetes Operator Packages

On this page

  • Verify Linux/macOS Packages

Starting in MongoDB Enterprise Kubernetes Operator 1.26.0, the MongoDB release team digitally signs MongoDB Enterprise Kubernetes Operator packages to certify that they are valid and unaltered MongoDB releases. Before you install MongoDB Enterprise Kubernetes Operator, validate the package using the provided PGP signature or SHA-256 checksum.

PGP signatures provide the strongest guarantees by checking both the authenticity and integrity of a file to prevent tampering.

Run the following command to obtain our signing key:

wget https://cosign.mongodb.com/mongodb-enterprise-kubernetes-operator.pem

MongoDB signs each release branch with a signature file. You can verify the authenticity of the binary with our public key file.

1

To download the 1.26.0 release using Darwin with an ARM64 architecture, run the following command:

wget https://github.com/mongodb/mongodb-enterprise-kubernetes/releases/download/1.26.0/kubectl-mongodb_1.26.0_darwin_arm64.tar.gz
Saving : « kubectl-mongodb_1.26.0_darwin_arm64.tar.gz »
2
tar -xvzf kubectl-mongodb_1.26.0_darwin_arm64.tar.gz
x kubectl-mongodb.sig
x kubectl-mongodb
3

Run the following command:

cosign verify-blob --key mongodb-enterprise-kubernetes-operator.pem --signature kubectl-mongodb.sig kubectl-mongodb
Verified OK

You can also verify the signature of any published Docker images. The following example shows how to verify the signature of the MongoDB Enterprise Kubernetes Operator 1.26.0 image:

cosign verify --key mongodb-enterprise-kubernetes-operator.pem quay.io/mongodb/mongodb-enterprise-operator-ubi:1.26.0 --insecure-ignore-tlog
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Verification for quay.io/mongodb/mongodb-enterprise-operator-ubi:1.26.0 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"quay.io/mongodb/mongodb-enterprise-operator-ubi:1.26.0"},"image":{"docker-manifest-digest":"sha256:9281935b4c36e0e4feebcf577abf21291ce0b517e7f637e6eaaf9769642abdd3"},"type":"cosign container image signature"},"optional":null}]

Back

Install