• Install Ops Manager >
• Verify Integrity of Ops Manager Packages

Verify Integrity of Ops Manager Packages

Starting in Ops Manager 4.4.14, the MongoDB release team digitally signs Ops Manager packages to certify that they are valid and unaltered MongoDB releases. Before installing Ops Manager, validate the package using the provided PGP signature.

PGP signatures provide the strongest guarantees by checking both the authenticity and integrity of a file to prevent tampering.

Verify a deb Package

1

Download the latest version of the Ops Manager package.

1. Open your preferred browser to visit the MongoDB Download Center on MongoDB.com.

   If you start on MongoDB.com instead of following the link above, click Products arrow right icon Ops Manager arrow right icon Try it now.

2. From the Platforms dropdown menu, click Ubuntu 18.04.

3. From the Packages dropdown menu, click DEB for x86_64 architecture.

4. Click Download.

   The downloaded package is named mongodb-mms-<version>.x86_64.deb, where <version> is the version number.

2

Use cURL to download the public key file from MongoDB.

copy

curl -O https://pgp.mongodb.com/opsmanager-5.0.asc

3

Use cURL to download the public signature file from MongoDB.

In the following command, replace <version> with the version of the Ops Manager package.

copy

curl -O https://downloads.mongodb.com/on-prem-mms/deb/mongodb-mms-<version>_x86_64.deb.sig

4

Import the public key.

copy

gpg --import opsmanager-5.0.asc

5

Verify the Ops Manager package integrity.

In the following command, replace <version> with the version of the Ops Manager package.

copy

gpg --verify mongodb-mms-<version>_x86_64.deb.sig \
    mongodb-mms-<version>_x86_64.deb

When the package is successfully verified, you receive a response like the following:

gpg: Signature made Wed Jun 23 15:44:30 2021 UTC
gpg:                using RSA key 056AB6A90E47FE40
gpg: Good signature from "Ops Manager 5.0 Release Signing Key <packaging@mongodb.com>" [unknown]

If the package is properly signed, but you don’t currently trust the signing key in your local trustdb, gpg also returns the following message:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D657 EF0E F51C 41B7 AE11  1CAF 056A B6A9 0E47 FE40

Verify an rpm Package

1

Download the latest version of the Ops Manager package.

1. Open your preferred browser to visit the MongoDB Download Center on MongoDB.com.

   If you start from MongoDB.com, click Products arrow right icon Ops Manager arrow right icon Try it now.

2. From the Platforms dropdown menu, click one of the following options:

   • Red Hat + CentOS 7, 8 / SUSE 12 + 15 / Amazon Linux

3. From the Packages dropdown menu, click RPM.

4. Click Download.

   The downloaded package is named mongodb-mms-<version>.x86_64.rpm, where <version> is the version number.

2

Use cURL to download the public key file from MongoDB.

copy

curl -O https://pgp.mongodb.com/opsmanager-5.0.asc

3

Import the public key.

copy

sudo rpm --import opsmanager-5.0.asc

4

Verify the Ops Manager package integrity.

In the following command, replace:

• <version> with the version of the Ops Manager package.
• <architecture> with the CPU architecture for the package. This value must be x86_64.

copy

sudo rpm -K mongodb-mms-<version>.<architecture>.rpm

When the package is successfully verified, you receive a response like the following:

mongodb-mms-<version.arch>.rpm: rsa sha1 (md5) pgp md5 OK

Verify a tar.gz Archive

1

Download the latest version of the Ops Manager archive.

1. Open your preferred browser to visit the MongoDB Download Center on MongoDB.com.

   If start from MongoDB.com, click Products arrow right icon Ops Manager arrow right icon Try it now.

2. From the Version dropdown menu, click one of the provided stable versions.

3. From the Platform dropdown menu, click one of the following options:

   • Red Hat + CentOS 7, 8 / SUSE 12 + 15 / Amazon Linux 2
   • Debian 9, 10, 11 / Ubuntu 18.04

4. From the Package dropdown menu, click tar.gz.

5. Click Download.

   The downloaded package is named mongodb-mms-<version>.x86_64.tar.gz, where <version> is the version number.

2

Use cURL to download the public key file from MongoDB.

copy

curl -O https://pgp.mongodb.com/opsmanager-5.0.asc

3

Use cURL to download the public signature file from MongoDB.

In the following command, replace:

• <version> with the version of the Ops Manager package.
• <architecture> with the CPU architecture for the package. This value must be x86_64.

copy

curl -O https://downloads.mongodb.com/on-prem-mms/tar/mongodb-mms-<version>.<architecture>.tar.gz.sig

4

Import the public key.

copy

gpg --import opsmanager-5.0.asc

5

Verify the Ops Manager package integrity.

In the following command, replace:

• <version> with the version of the Ops Manager package.
• <architecture> with the CPU architecture for the package. This value must be x86_64.

copy

gpg --verify mongodb-mms-<version>.<architecture>.tar.gz.sig \
    mongodb-mms-<version>.<architecture>.tar.gz

When the package is successfully verified, you receive a response like the following:

gpg: Signature made Wed Jun 23 15:44:30 2021 UTC
gpg:                using RSA key 056AB6A90E47FE40
gpg: Good signature from "Ops Manager 5.0 Release Signing Key <packaging@mongodb.com>" [unknown]

If the package is properly signed, but you don’t currently trust the signing key in your local trustdb, gpg also returns the following message:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D657 EF0E F51C 41B7 AE11  1CAF 056A B6A9 0E47 FE40

←   Upgrade Ops Manager Create or Import a MongoDB Deployment  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.