Verify MongoDB for VSCode Plugin
On this page
The MongoDB release team digitally signs VS Code Extension releases to certify that the plugin is a valid and unaltered MongoDB release. You can use the digital signature to validate the plugin and ensure that it is a trusted installation.
Before you Begin
If you don't have VS Code Extension installed, download the VS Code Extension plugin from the GitHub Releases page or the Visual Studio Code extension marketplace.
Steps
Download the VS Code Extension signature file
Go to the MongoDB VS Code Releases page and download
the .sig file for your version of VS Code Extension.
Import the VS Code Extension public key
curl https://pgp.mongodb.com/mongodb-vscode.asc | gpg --import
If the key imports successfully, the command returns:
gpg: key A8130EC3F9F5F923: public key "MongoDB VS Code Signing Key <vscode@mongodb.com>" imported gpg: Total number processed: 1 gpg: imported: 1
If you have previously imported the key, the command returns:
gpg: key A8130EC3F9F5F923: public key "MongoDB VS Code Signing Key <vscode@mongodb.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1
Verify the plugin
gpg --verify <path_to_signature_file> <path_to_plugin_vsix_file>
If the plugin is signed by MongoDB, the command returns:
gpg: Signature made Mon Jan 8 19:30:04 2024 CET gpg: using RSA key A505CECC78EC9A688A4811505D55DCA8B92B7040 gpg: Good signature from "MongoDB VS Code Signing Key <vscode@mongodb.com>" [unknown]
If the package is signed but the signing key is not added to your
local trustdb, the command returns:
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
If the package is not signed properly, the command returns an error message:
gpg: Signature made Mon Jan 22 10:22:53 2024 CET gpg: using RSA key AB1B92FFBE0D3740425DAD16A8130EC3F9F5F923 gpg: BAD signature from "MongoDB VS Code Signing Key <vscode@mongodb.com>" [unknown]