From d3daf81601a3e7553ced5d33476a5e40f074895e Mon Sep 17 00:00:00 2001 From: Jeff Allen Date: Tue, 2 Jul 2024 10:33:47 -0400 Subject: [PATCH 1/6] WIP --- snooty.toml | 2 +- source/installation.txt | 1 + source/installation/verify-signature.txt | 29 ++++++++++++++++++++++++ 3 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 source/installation/verify-signature.txt diff --git a/snooty.toml b/snooty.toml index ba7decf4b..b8cb28048 100644 --- a/snooty.toml +++ b/snooty.toml @@ -53,4 +53,4 @@ targets = [ variant = "warning" value = """\ MongoDB ``mongosync`` binaries are not supported or tested for use with non-genuine MongoDB deployments. While the tools may work on these deployments, compatibility is not guaranteed. - """ \ No newline at end of file + """ diff --git a/source/installation.txt b/source/installation.txt index bb1e3add2..3911b6a58 100644 --- a/source/installation.txt +++ b/source/installation.txt @@ -24,3 +24,4 @@ These documents provide instructions to install {+c2c-full-product-name+}. Linux macOS + Verify Signature diff --git a/source/installation/verify-signature.txt b/source/installation/verify-signature.txt new file mode 100644 index 000000000..125050b9b --- /dev/null +++ b/source/installation/verify-signature.txt @@ -0,0 +1,29 @@ +.. _c2c-verify-signature: + +====================================== +Verify Integrity of mongosync Packages +====================================== + +.. contents:: On this page + :local: + :backlinks: none + :depth: 1 + :class: singlecol + +.. facet:: + :name: genre + :values: tutorial + +The MongoDB release team digitally signs ``mongosync`` packages to +certify that the plugin is a valid and unaltered MongoDB release. You +can use the digital signature to validate the package and ensure that it +is a trusted installation. + +Before you Begin +---------------- + +If you don't have ``mongosync`` installed, download the ``mongosync`` +binary from the {+mdb-download-center+}. + +Steps +----- From ad30b90582a55a52f5f6bf34e0a1ad3433b58b8c Mon Sep 17 00:00:00 2001 From: jeff-allen-mongo Date: Mon, 24 Mar 2025 15:06:50 -0400 Subject: [PATCH 2/6] DOCSP-40664-verify-package-signatures --- snooty.toml | 1 + source/includes/verification-gpg-results.rst | 17 ++++ .../verify-signatures-before-you-begin.rst | 3 + source/includes/verify-signatures-intro.rst | 4 + source/installation/verify-signature.txt | 29 ------ source/installation/verify.txt | 33 +++++++ source/installation/verify/gpg.txt | 91 +++++++++++++++++++ source/installation/verify/macos.txt | 45 +++++++++ source/installation/verify/rpm.txt | 54 +++++++++++ 9 files changed, 248 insertions(+), 29 deletions(-) create mode 100644 source/includes/verification-gpg-results.rst create mode 100644 source/includes/verify-signatures-before-you-begin.rst create mode 100644 source/includes/verify-signatures-intro.rst delete mode 100644 source/installation/verify-signature.txt create mode 100644 source/installation/verify.txt create mode 100644 source/installation/verify/gpg.txt create mode 100644 source/installation/verify/macos.txt create mode 100644 source/installation/verify/rpm.txt diff --git a/snooty.toml b/snooty.toml index b8cb28048..a0dd3682e 100644 --- a/snooty.toml +++ b/snooty.toml @@ -14,6 +14,7 @@ intersphinx = [ "https://www.mongodb.com/docs/atlas/objects.inv", toc_landing_pages = ["/quickstart", "/installation", + "/installation/verify", "/reference", "/connecting", "/topologies", diff --git a/source/includes/verification-gpg-results.rst b/source/includes/verification-gpg-results.rst new file mode 100644 index 000000000..7141eeba0 --- /dev/null +++ b/source/includes/verification-gpg-results.rst @@ -0,0 +1,17 @@ +If the key imports successfully, the command returns: + +.. code-block:: sh + :copyable: false + + gpg: key 3132835C1D925D5B: public key "MongoDB CLI Tools Release Signing Key " imported + gpg: Total number processed: 1 + gpg: imported: 1 + +If you have previously imported the key, the command returns: + +.. code-block:: sh + :copyable: false + + gpg: key 3132835C1D925D5B: "MongoDB CLI Tools Release Signing Key " not changed + gpg: Total number processed: 1 + gpg: unchanged: 1 diff --git a/source/includes/verify-signatures-before-you-begin.rst b/source/includes/verify-signatures-before-you-begin.rst new file mode 100644 index 000000000..f298de7f8 --- /dev/null +++ b/source/includes/verify-signatures-before-you-begin.rst @@ -0,0 +1,3 @@ +If you don't have ``mongosync`` installed, download the ``mongosync`` +package from the `Download Center +`__. diff --git a/source/includes/verify-signatures-intro.rst b/source/includes/verify-signatures-intro.rst new file mode 100644 index 000000000..30977997c --- /dev/null +++ b/source/includes/verify-signatures-intro.rst @@ -0,0 +1,4 @@ +The MongoDB release team digitally signs ``mongosync`` packages to +certify that packages are a valid and unaltered MongoDB release. Before +you install ``mongosync``, you can use the digital signature to validate +the package. diff --git a/source/installation/verify-signature.txt b/source/installation/verify-signature.txt deleted file mode 100644 index 125050b9b..000000000 --- a/source/installation/verify-signature.txt +++ /dev/null @@ -1,29 +0,0 @@ -.. _c2c-verify-signature: - -====================================== -Verify Integrity of mongosync Packages -====================================== - -.. contents:: On this page - :local: - :backlinks: none - :depth: 1 - :class: singlecol - -.. facet:: - :name: genre - :values: tutorial - -The MongoDB release team digitally signs ``mongosync`` packages to -certify that the plugin is a valid and unaltered MongoDB release. You -can use the digital signature to validate the package and ensure that it -is a trusted installation. - -Before you Begin ----------------- - -If you don't have ``mongosync`` installed, download the ``mongosync`` -binary from the {+mdb-download-center+}. - -Steps ------ diff --git a/source/installation/verify.txt b/source/installation/verify.txt new file mode 100644 index 000000000..58f98dd0d --- /dev/null +++ b/source/installation/verify.txt @@ -0,0 +1,33 @@ +.. _c2c-verify-signature: + +====================================== +Verify Integrity of mongosync Packages +====================================== + +.. contents:: On this page + :local: + :backlinks: none + :depth: 1 + :class: singlecol + +.. facet:: + :name: genre + :values: tutorial + +.. include:: /includes/verify-signatures-intro.rst + +To learn how to verify Database Tools packages, see the corresponding +page for your verification method: + +- :ref:`c2c-verify-signatures-macos` + +- :ref:`c2c-verify-signatures-gpg` + +- :ref:`c2c-verify-signatures-rpm` + +.. toctree:: + :titlesonly: + + macOS + Linux + RHEL diff --git a/source/installation/verify/gpg.txt b/source/installation/verify/gpg.txt new file mode 100644 index 000000000..ca09b4ee1 --- /dev/null +++ b/source/installation/verify/gpg.txt @@ -0,0 +1,91 @@ +.. _c2c-verify-signatures-gpg: + +================================ +Verify Packages with GPG (Linux) +================================ + +.. contents:: On this page + :local: + :backlinks: none + :depth: 1 + :class: singlecol + +.. facet:: + :name: genre + :values: tutorial + +.. include:: /includes/verify-signatures-intro.rst + +This page describes how to use GPG to verify Linux packages. + +Before you Begin +---------------- + +.. include:: /includes/verify-signatures-before-you-begin.rst + +Steps +----- + +.. procedure:: + :style: normal + + .. step:: Import the MongoDB Server Tools public key + + .. code-block:: sh + + curl https://pgp.mongodb.com/server-Tools.asc | gpg --import + + .. include:: /includes/verification-gpg-results.rst + + .. step:: Download the mongosync public signature + + To download the ``mongosync`` public signature, run the following + command, replacing the placeholder values with your platform, + architecture, and ``mongosync`` version: + +https://fastdl.mongodb.org/tools/mongosync/mongosync-amazon2-x86_64-1.12.0.tgz + + .. code-block:: sh + + curl -LO https://s3.amazonaws.com/downloads.mongodb.org/tools/mongosync/mongosync---.tgz.sig + + .. example:: + + The following URL contains the signature file for Database + Tools on Amazon Linux 2, version {+version+}: + + ``https://s3.amazonaws.com/downloads.mongodb.org/tools/mongosync/mongosync-amazon2-x86_64-{+version+}.tgz.sig`` + + .. step:: Verify the package + + .. code-block:: sh + + gpg --verify + + If the package is signed by MongoDB, the command returns: + + .. code-block:: sh + :copyable: false + + gpg: Signature made Wed 19 Feb 2025 02:19:15 PM EST + gpg: using RSA key D4E45C292A5C94962F0D10E13132835C1D925D5B + gpg: Good signature from "MongoDB CLI Tools Release Signing Key " [unknown] + + If the package is signed but the signing key is not added to your + local ``trustdb``, the command returns: + + .. code-block:: sh + :copyable: false + + gpg: WARNING: This key is not certified with a trusted signature! + gpg: There is no indication that the signature belongs to the owner. + + If the package is not properly signed, the command returns an + error message: + + .. code-block:: sh + :copyable: false + + gpg: Signature made Wed 19 Feb 2025 02:19:15 PM EST + gpg: using RSA key D4E45C292A5C94962F0D10E13132835C1D925D5B + gpg: BAD signature from "MongoDB CLI Tools Release Signing Key " [unknown] diff --git a/source/installation/verify/macos.txt b/source/installation/verify/macos.txt new file mode 100644 index 000000000..e541ad530 --- /dev/null +++ b/source/installation/verify/macos.txt @@ -0,0 +1,45 @@ +.. _c2c-verify-signatures-macos: + +================================ +Verify mongosync Binary on macOS +================================ + +.. contents:: On this page + :local: + :backlinks: none + :depth: 1 + :class: singlecol + +.. facet:: + :name: genre + :values: tutorial + +.. include:: /includes/verify-signatures-intro.rst + +The ``mongosync`` ``.zip`` download for macOS is notarized. This page +describes how to use ``codesign`` to verify the integrity of the +unzipped ``mongosync`` binary. + +Before you Begin +---------------- + +.. include:: /includes/verify-signatures-before-you-begin.rst + +Steps +----- + +To verify the ``mongosync`` binary, run: + +.. code-block:: sh + + codesign -dv --verbose=4 + +If the binary is signed by MongoDB, the output includes the following +information: + +.. code-block:: sh + :copyable: false + + Authority=Developer ID Application: MongoDB, Inc. (4XWMY46275) + Authority=Developer ID Certification Authority + Authority=Apple Root CA diff --git a/source/installation/verify/rpm.txt b/source/installation/verify/rpm.txt new file mode 100644 index 000000000..233025259 --- /dev/null +++ b/source/installation/verify/rpm.txt @@ -0,0 +1,54 @@ +.. _db-tools-verify-signatures-rpm: + +========================== +Verify RPM Packages (RHEL) +========================== + +.. contents:: On this page + :local: + :backlinks: none + :depth: 1 + :class: singlecol + +.. facet:: + :name: genre + :values: tutorial + +.. include:: /includes/verify-signatures-intro.rst + +This page describes how to verify ``.rpm`` packages on RHEL operating +systems. + +Before you Begin +---------------- + +.. include:: /includes/verify-signatures-before-you-begin.rst + +Steps +----- + +.. procedure:: + :style: normal + + .. step:: Import the MongoDB Server Tools public key in gpg and rpm + + .. code-block:: sh + + curl https://pgp.mongodb.com/server-Tools.asc | gpg --import + + rpm --import https://pgp.mongodb.com/server-Tools.asc + + .. include:: /includes/verification-gpg-results.rst + + .. step:: Verify the rpm file + + .. code-block:: sh + + rpm --checksig + + If the file is signed, the command returns: + + .. code-block:: sh + :copyable: false + + digests signatures OK From 705211a5a54b095b4f8f1ff25b6b120af10e0322 Mon Sep 17 00:00:00 2001 From: jeff-allen-mongo Date: Mon, 24 Mar 2025 15:08:47 -0400 Subject: [PATCH 3/6] fixes --- source/installation/verify.txt | 2 +- source/installation/verify/gpg.txt | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/source/installation/verify.txt b/source/installation/verify.txt index 58f98dd0d..302416499 100644 --- a/source/installation/verify.txt +++ b/source/installation/verify.txt @@ -16,7 +16,7 @@ Verify Integrity of mongosync Packages .. include:: /includes/verify-signatures-intro.rst -To learn how to verify Database Tools packages, see the corresponding +To learn how to verify ``mongosync`` packages, see the corresponding page for your verification method: - :ref:`c2c-verify-signatures-macos` diff --git a/source/installation/verify/gpg.txt b/source/installation/verify/gpg.txt index ca09b4ee1..58f570437 100644 --- a/source/installation/verify/gpg.txt +++ b/source/installation/verify/gpg.txt @@ -43,8 +43,6 @@ Steps command, replacing the placeholder values with your platform, architecture, and ``mongosync`` version: -https://fastdl.mongodb.org/tools/mongosync/mongosync-amazon2-x86_64-1.12.0.tgz - .. code-block:: sh curl -LO https://s3.amazonaws.com/downloads.mongodb.org/tools/mongosync/mongosync---.tgz.sig From f9108e6332c8bad5fabfd7261d5d972f56c562bd Mon Sep 17 00:00:00 2001 From: jeff-allen-mongo Date: Mon, 24 Mar 2025 15:09:52 -0400 Subject: [PATCH 4/6] edits --- source/installation/verify/gpg.txt | 4 ++-- source/installation/verify/rpm.txt | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/source/installation/verify/gpg.txt b/source/installation/verify/gpg.txt index 58f570437..138ad34fa 100644 --- a/source/installation/verify/gpg.txt +++ b/source/installation/verify/gpg.txt @@ -49,8 +49,8 @@ Steps .. example:: - The following URL contains the signature file for Database - Tools on Amazon Linux 2, version {+version+}: + The following URL contains the signature file for ``mongosync`` + on Amazon Linux 2, version {+version+}: ``https://s3.amazonaws.com/downloads.mongodb.org/tools/mongosync/mongosync-amazon2-x86_64-{+version+}.tgz.sig`` diff --git a/source/installation/verify/rpm.txt b/source/installation/verify/rpm.txt index 233025259..aa48933d2 100644 --- a/source/installation/verify/rpm.txt +++ b/source/installation/verify/rpm.txt @@ -1,4 +1,4 @@ -.. _db-tools-verify-signatures-rpm: +.. _c2c-verify-signatures-rpm: ========================== Verify RPM Packages (RHEL) @@ -51,4 +51,4 @@ Steps .. code-block:: sh :copyable: false - digests signatures OK + digests signatures OK From a1072dfd599372c86afbc2d360cecfa94892df55 Mon Sep 17 00:00:00 2001 From: jeff-allen-mongo Date: Mon, 24 Mar 2025 15:16:21 -0400 Subject: [PATCH 5/6] fix variable --- source/installation.txt | 2 +- source/installation/verify/gpg.txt | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/source/installation.txt b/source/installation.txt index 3911b6a58..ebc3fe069 100644 --- a/source/installation.txt +++ b/source/installation.txt @@ -24,4 +24,4 @@ These documents provide instructions to install {+c2c-full-product-name+}. Linux macOS - Verify Signature + Verify Packages diff --git a/source/installation/verify/gpg.txt b/source/installation/verify/gpg.txt index 138ad34fa..eaab3d91d 100644 --- a/source/installation/verify/gpg.txt +++ b/source/installation/verify/gpg.txt @@ -50,9 +50,9 @@ Steps .. example:: The following URL contains the signature file for ``mongosync`` - on Amazon Linux 2, version {+version+}: + on Amazon Linux 2, version {+latest-version+}: - ``https://s3.amazonaws.com/downloads.mongodb.org/tools/mongosync/mongosync-amazon2-x86_64-{+version+}.tgz.sig`` + ``https://s3.amazonaws.com/downloads.mongodb.org/tools/mongosync/mongosync-amazon2-x86_64-{+latest-version+}.tgz.sig`` .. step:: Verify the package From 453ed5691d9d4672f0ffe8e664449a3b28b1624a Mon Sep 17 00:00:00 2001 From: jeff-allen-mongo Date: Tue, 25 Mar 2025 11:31:46 -0400 Subject: [PATCH 6/6] review feedback --- source/includes/verify-signatures-intro.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source/includes/verify-signatures-intro.rst b/source/includes/verify-signatures-intro.rst index 30977997c..05cffc2b1 100644 --- a/source/includes/verify-signatures-intro.rst +++ b/source/includes/verify-signatures-intro.rst @@ -1,4 +1,4 @@ The MongoDB release team digitally signs ``mongosync`` packages to -certify that packages are a valid and unaltered MongoDB release. Before -you install ``mongosync``, you can use the digital signature to validate -the package. +certify that the packages are a valid and unaltered MongoDB release. +Before you install ``mongosync``, you can use the digital signature to +validate the package.