Validate Driver Artifact Signatures

Install Encryption Software

You must first install the GnuPG encryption suite to use GPG on the command line. You can install GnuPG by using Homebrew.

Download and Import the Public Key

Navigate to the Releases page in the MongoDB JVM drivers GitHub repository. Each version release contains instructions on how to download and import the public key for verifying signatures.

Download the Signed File

In your terminal, run the curl command to download the signed file corresponding to a version of the driver. For example, running the following command downloads the signed file for the v5.1.0 driver:

curl -LO https://repo.maven.apache.org/maven2/org/mongodb/mongodb-driver-core/5.1.0/mongodb-driver-core-5.1.0.jar

Download the File Signature

In your terminal, run the curl command to download the file signature corresponding to a version of the driver. For example, running the following command downloads the file signature for the v5.1.0 driver:

curl -LO https://repo.maven.apache.org/maven2/org/mongodb/mongodb-driver-core/5.1.0/mongodb-driver-core-5.1.0.jar.asc

Verify the Signature

Finally, you can verify the signature by using the encryption package. The following terminal command uses gpg to verify the artifact signature of the v5.1.0 driver:

gpg --verify mongodb-driver-core-5.1.0.jar.asc mongodb-driver-core-5.1.0.jar

If you successfully verify the signature, you see a message similar to the following:

gpg: Signature made Tue 30 Apr 12:05:34 2024 MDT
gpg:                using RSA key 76E0008D166740A8
gpg: Good signature from "MongoDB Java Driver Release Signing Key <packaging@mongodb.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1A75 005E 1421 9222 3D6A  7C3B 76E0 008D 1667 40A8