- 安装MongoDB >
- Verify Integrity of MongoDB Packages
Verify Integrity of MongoDB Packages¶
概述¶
The MongoDB release team digitally signs all software packages to certify that a particular MongoDB package is a valid and unaltered MongoDB release.
Before installing MongoDB, you can validate packages using either a PGP signature or with MD5 and SHA checksums of the MongoDB packages. The PGP signatures store an encrypted hash of the software package, that you can validate to ensure that the package you have is consistent with the official package release. MongoDB also publishes MD5 and SHA hashes of the official packages that you can use to confirm that you have a valid package.
Considerations¶
MongoDB signs each release branch with a different PGP key.
The public .asc and .pub key files for each branch are available for download. For example, the 2.2 keys are available at the following URLs:
https://www.mongodb.org/static/pgp/server-2.2.asc
https://www.mongodb.org/static/pgp/server-2.2.pub
Replace 2.2 with the appropriate release number to download public key. Keys are available for all MongoDB releases beginning with 2.2.
Procedures¶
Use PGP/GPG¶
Download the MongoDB installation file.¶
Download the binaries from https://www.mongodb.org/downloads based on your environment.
For example, to download the 2.6.0 release for OS X through the shell, type this command:
curl -LO http://downloads.mongodb.org/osx/mongodb-osx-x86_64-2.6.0.tgz
Download the public signature file.¶
curl -LO http://downloads.mongodb.org/osx/mongodb-osx-x86_64-2.6.0.tgz.sig
Download then import the key file.¶
If you have not downloaded and imported the key file, enter these commands:
curl -LO https://www.mongodb.org/static/pgp/server-2.6.asc
gpg --import server-2.6.asc
You should receive this message:
gpg: key AAB2461C: public key "MongoDB 2.6 Release Signing Key <packaging@mongodb.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
Verify the MongoDB installation file.¶
Type this command:
gpg --verify mongodb-osx-x86_64-2.6.0.tgz.sig mongodb-osx-x86_64-2.6.0.tgz
You should receive this message:
gpg: Signature made Thu Mar 6 15:11:28 2014 EST using RSA key ID AAB2461C
gpg: Good signature from "MongoDB 2.6 Release Signing Key <packaging@mongodb.com>"
Download and import the key file, as described above, if you receive a message like this one:
gpg: Signature made Thu Mar 6 15:11:28 2014 EST using RSA key ID AAB2461C
gpg: Can't check signature: public key not found
gpg will return the following message if the package is properly signed, but you do not currently trust the signing key in your local trustdb.
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DFFA 3DCF 326E 302C 4787 673A 01C4 E7FA AAB2 461C
Use SHA¶
MongoDB provides checksums using both the SHA-1 and SHA-256 hash functions. You can use either, as you like.
Download the MongoDB installation file.¶
Download the binaries from https://www.mongodb.org/downloads based on your environment.
For example, to download the 2.6.0 release for OS X through the shell, type this command:
curl -LO http://downloads.mongodb.org/osx/mongodb-osx-x86_64-2.6.0.tgz
Download the SHA1 and SHA256 file.¶
curl -LO http://downloads.mongodb.org/osx/mongodb-osx-x86_64-2.6.3.tgz.sha1
curl -LO http://downloads.mongodb.org/osx/mongodb-osx-x86_64-2.6.3.tgz.sha256
Use the SHA-256 checksum to verify the MongoDB package file.¶
Compute the checksum of the package file:
shasum mongodb-linux-x86_64-2.6.3.tgz
which will generate this result:
fe511ee40428edda3a507f70d2b91d16b0483674 mongodb-osx-x86_64-2.6.3.tgz
Enter this command:
cat mongodb-linux-x86_64-2.6.3.tgz.sha1
which will generate this result:
fe511ee40428edda3a507f70d2b91d16b0483674 mongodb-osx-x86_64-2.6.3.tgz
The output of the shasum and cat commands should be identical.
Use the SHA-1 checksum to verify the MongoDB package file.¶
Compute the checksum of the package file:
shasum -a 256 mongodb-linux-x86_64-2.6.3.tgz
which will generate this result:
be3a5e9f4e9c8e954e9af7053776732387d2841a019185eaf2e52086d4d207a3 mongodb-osx-x86_64-2.6.3.tgz
Enter this command:
cat mongodb-linux-x86_64-2.6.3.tgz.sha256
which will generate this result:
be3a5e9f4e9c8e954e9af7053776732387d2841a019185eaf2e52086d4d207a3 mongodb-osx-x86_64-2.6.3.tgz
The output of the shasum and cat commands should be identical.
Use MD5¶
Download the MongoDB installation file.¶
Download the binaries from https://www.mongodb.org/downloads based on your environment.
For example, to download the 2.6.0 release for OS X through the shell, type this command:
curl -LO http://downloads.mongodb.org/osx/mongodb-osx-x86_64-2.6.0.tgz
Download the MD5 file.¶
curl -LO http://downloads.mongodb.org/osx/mongodb-osx-x86_64-2.6.0.tgz.md5
Verify the checksum values for the MongoDB package file (Linux).¶
Compute the checksum of the package file:
md5 mongodb-linux-x86_64-2.6.0.tgz
which will generate this result:
MD5 (mongodb-linux-x86_64-2.6.0.tgz) = a937d49881f90e1a024b58d642011dc4
Enter this command:
cat mongodb-linux-x86_64-2.6.0.tgz.md5
which will generate this result:
a937d49881f90e1a024b58d642011dc4
The output of the md5 and cat commands should be identical.
Verify the MongoDB installation file (OS X).¶
Compute the checksum of the package file:
md5sum -c mongodb-osx-x86_64-2.6.0.tgz.md5 mongodb-osx-x86_64-2.6.0.tgz
which will generate this result:
mongodb-osx-x86_64-2.6.0-rc1.tgz ok