Merge pull request #436 from kanchana-mongodb/DOCSP-40387

kanchana-mongodb · web-flow · commit 3c639d642a2c · 2024-07-09T12:38:55.000-07:00
DOCSP-40387 Add Verification section to BI Connector installation pages
diff --git a/source/includes/steps-install-bi-connector-debian.yaml b/source/includes/steps-install-bi-connector-debian.yaml
@@ -6,6 +6,79 @@ source:
   ref: download-bi
 ---
 stepnum: 2
+title: Verify the integrity of the downloaded package.
+ref: verify-bi-debian-package
+level: 4
+content: |
+  The MongoDB release team digitally signs all software packages to
+  certify that a particular MongoDB package is a valid and unaltered
+  MongoDB release. The `bi-connector.asc` key to validate the BI
+  Connector is available on `pgp.mongodb.com <https://pgp.mongodb.com/bi-connector.asc>`__
+  as a PGP key in ``.asc`` format.  
+
+  a. Run the following command to download the ``.sig`` file.
+       
+     .. code-block:: sh 
+            
+        curl -LO https://info-mongodb-com.s3.amazonaws.com/mongodb-bi/v2/mongodb-bi-linux-{arch}-{platform}-{version}.tgz.sig
+
+     .. example:: 
+
+        .. code-block:: sj 
+           
+           https://info-mongodb-com.s3.amazonaws.com/mongodb-bi/v2/mongodb-bi-linux-x86_64-suse12-v2.14.14.tgz.sig
+
+  #. Run the following command to download the import the key file. 
+
+     .. io-code-block::
+        :copyable: true 
+
+        .. input:: 
+           :language: shell 
+
+           curl -LO https://pgp.mongodb.com/bi-connector.asc
+           gpg --import bi-connector.asc
+
+        .. output:: 
+           :language: shell 
+
+           gpg: key 1CCF1A1263CDD699: public key "MongoDB BI Connector Release Signing Key <packaging@mongodb.com>" imported
+           gpg: Total number processed: 1
+           gpg:               imported: 1
+
+  #. Run the following command to verify the MongoDB installation file.
+
+     .. code-block:: 
+        
+        gpg --verify tar -xvzf mongodb-bi-linux-{arch}-{platform}-{version}.tgz.sig tar -xvzf mongodb-bi-linux-{arch}-{platform}-{version}.tgz
+
+     GPG should return this response:
+
+     .. code-block:: shell
+
+        gpg: Signature made Thu Jun 13 10:17:03 2024 PDT
+        gpg:                using RSA key BD66803ABD3EB56953142EE51CCF1A1263CDD699
+        gpg: Good signature from "MongoDB BI Connector Release Signing Key <packaging@mongodb.com>" [unknown]
+
+     If the package is properly signed, but you do not currently trust
+     the signing key in your local ``trustdb``, ``gpg`` will also return
+     the following message: 
+
+     .. code-block:: shell 
+
+        gpg: WARNING: This key is not certified with a trusted signature!
+        gpg:          There is no indication that the signature belongs to the owner.
+        Primary key fingerprint: BD66 803A BD3E B569 5314  2EE5 1CCF 1A12 63CD D699
+
+     If you receive the following error message, confirm that you
+     imported the correct public key: 
+
+     .. code-block:: shell 
+
+        gpg: Can't check signature: public key not found
+
+---
+stepnum: 3
 title: Install the |bi|.
 ref: install-bi-debian
 level: 4
diff --git a/source/includes/steps-install-bi-connector-macos.yaml b/source/includes/steps-install-bi-connector-macos.yaml
@@ -6,6 +6,74 @@ source:
   ref: download-bi
 ---
 stepnum: 2
+title: Verify the integrity of the downloaded package.
+ref: verify-bi-mac-package
+level: 4
+content: |
+  The MongoDB release team digitally signs all software packages to
+  certify that a particular MongoDB package is a valid and unaltered
+  MongoDB release. The `bi-connector.asc` key to validate the BI
+  Connector is available on `pgp.mongodb.com <https://pgp.mongodb.com/bi-connector.asc>`__ 
+  as a PGP key in ``.asc`` format.  
+
+  a. Run the following command to downloaded the ``.sig`` file. 
+       
+     .. code-block:: sh 
+            
+        curl -LO https://info-mongodb-com.s3.amazonaws.com/mongodb-bi/v2/mongodb-bi-osx-{x86_64|arm64-macos{11|13}}-{version}.zip.sig
+
+  #. Run the following command to download the import key file. 
+
+     .. io-code-block::
+        :copyable: true 
+
+        .. input:: 
+           :language: shell 
+
+           curl -LO https://pgp.mongodb.com/bi-connector.asc
+           gpg --import bi-connector.asc
+
+        .. output:: 
+           :language: shell 
+
+           gpg: key 1CCF1A1263CDD699: public key "MongoDB BI Connector Release Signing Key <packaging@mongodb.com>" imported
+           gpg: Total number processed: 1
+           gpg:               imported: 1
+
+  #. Run the following command to verify the MongoDB installation file.
+
+     .. code-block:: shell
+        
+        gpg --verify mongodb-bi-osx-{x86_64|arm64-macos{11|13}}-{version}.zip.sig mongodb-bi-osx-{x86_64|arm64-macos{11|13}}-{version}.zip
+        
+
+     GPG should return this response:
+
+     .. code-block:: shell
+
+        gpg: Signature made Thu Jun 13 10:17:03 2024 PDT
+        gpg:                using RSA key BD66803ABD3EB56953142EE51CCF1A1263CDD699
+        gpg: Good signature from "MongoDB BI Connector Release Signing Key <packaging@mongodb.com>" [unknown]
+
+     If the package is properly signed, but you do not currently trust
+     the signing key in your local ``trustdb``, ``gpg`` will also return
+     the following message: 
+
+     .. code-block:: shell 
+
+        gpg: WARNING: This key is not certified with a trusted signature!
+        gpg:          There is no indication that the signature belongs to the owner.
+        Primary key fingerprint: BD66 803A BD3E B569 5314  2EE5 1CCF 1A12 63CD D699
+
+     If you receive the following error message, confirm that you
+     imported the correct public key: 
+
+     .. code-block:: shell 
+
+        gpg: Can't check signature: public key not found
+
+---
+stepnum: 3
 title: Install the |bi|.
 ref: install-bi-mac
 level: 4
@@ -19,15 +87,15 @@ content: |
      
      .. code-block:: sh
 
-        unzip {SOURCE-PATH}/mongodb-bi-osx-x86_64-{version}.zip -d {DESTINATION-PATH}
+        unzip {SOURCE-PATH}/mongodb-bi-osx-{x86_64|arm64-macos{11|13}}-{version}.zip -d {DESTINATION-PATH}
 
-  b. Change to the ``mongodb-bi-osx-x86_64-{version}`` directory.
+  b. Change to the ``mongodb-bi-osx-{x86_64|arm64-macos{11|13}}-{version}`` directory.
      Replace {DESTINATION-PATH} with the path to the directory
      where you extracted the archive in the previous step.
 
      .. code-block:: sh
 
-        cd {DESTINATION-PATH}/mongodb-bi-osx-x86_64-{version}/
+        cd {DESTINATION-PATH}/mongodb-bi-osx-{x86_64|arm64-macos{11|13}}-{version}/
   
   c. Install the programs within the ``bin/`` directory into a directory
      listed in your system ``PATH``. If a prior version exists, 
diff --git a/source/includes/steps-install-bi-connector-rhel.yaml b/source/includes/steps-install-bi-connector-rhel.yaml
@@ -6,6 +6,79 @@ source:
   ref: download-bi
 ---
 stepnum: 2
+title: Verify the integrity of the downloaded package.
+ref: verify-bi-rhel-package
+level: 4
+content: |
+  The MongoDB release team digitally signs all software packages to
+  certify that a particular MongoDB package is a valid and unaltered
+  MongoDB release. The `bi-connector.asc` key to validate the BI
+  Connector is available on `pgp.mongodb.com
+  <https://pgp.mongodb.com/bi-connector.asc>`__ as a PGP key in ``.asc`` format.  
+
+  a. Run the following command to downloaded the ``.sig`` file.
+       
+     .. code-block:: sh 
+            
+        curl -LO https://info-mongodb-com.s3.amazonaws.com/mongodb-bi/v2/mongodb-bi-linux-{arch}-{platform}-{version}.tgz.sig
+
+     .. example:: 
+
+        .. code-block:: sh
+
+           https://info-mongodb-com.s3.amazonaws.com/mongodb-bi/v2/mongodb-bi-linux-x86_64-rhel90-v2.14.14.tgz.sig
+
+  #. Run the following command to download the import the key file. 
+
+     .. io-code-block::
+        :copyable: true 
+
+        .. input:: 
+           :language: shell 
+
+           curl -LO https://pgp.mongodb.com/bi-connector.asc
+           gpg --import bi-connector.asc
+
+        .. output:: 
+           :language: shell 
+
+           gpg: key 1CCF1A1263CDD699: public key "MongoDB BI Connector Release Signing Key <packaging@mongodb.com>" imported
+           gpg: Total number processed: 1
+           gpg:               imported: 1
+
+  #. Run the following command to verify the MongoDB installation file.
+
+     .. code-block:: 
+        
+        gpg --verify tar -xvzf mongodb-bi-linux-{arch}-{platform}-{version}.tgz.sig tar -xvzf mongodb-bi-linux-{arch}-{platform}-{version}.tgz
+
+     GPG should return this response:
+
+     .. code-block:: shell
+
+        gpg: Signature made Thu Jun 13 10:17:03 2024 PDT
+        gpg:                using RSA key BD66803ABD3EB56953142EE51CCF1A1263CDD699
+        gpg: Good signature from "MongoDB BI Connector Release Signing Key <packaging@mongodb.com>" [unknown]
+
+     If the package is properly signed, but you do not currently trust
+     the signing key in your local ``trustdb``, ``gpg`` will also return
+     the following message: 
+
+     .. code-block:: shell 
+
+        gpg: WARNING: This key is not certified with a trusted signature!
+        gpg:          There is no indication that the signature belongs to the owner.
+        Primary key fingerprint: BD66 803A BD3E B569 5314  2EE5 1CCF 1A12 63CD D699
+
+     If you receive the following error message, confirm that you
+     imported the correct public key: 
+
+     .. code-block:: shell 
+
+        gpg: Can't check signature: public key not found
+
+---
+stepnum: 3
 title: Install the |bi|.
 ref: install-bi-server
 level: 4
diff --git a/source/includes/steps-install-bi-connector-windows.yaml b/source/includes/steps-install-bi-connector-windows.yaml
@@ -6,6 +6,36 @@ source:
   ref: download-bi
 ---
 stepnum: 2
+title: Verify the integrity of the downloaded package.
+ref: verify-bi-windows-package
+level: 4
+content: |
+  The MongoDB release team digitally signs all software packages to
+  certify that a particular MongoDB package is a valid and unaltered
+  MongoDB release. Complete the following steps to verify the MongoDB
+  binary against its SHA256 key:
+
+  a. Download the ``.sha256`` file for Windows x64 from `BI Connector
+     Downloads page <https://www.mongodb.com/try/download/bi-connector/releases>`__. 
+  #. Compare the signature file to the MongoDB installer hash using the
+     following Powershell script:
+
+     .. code-block:: shell
+      
+        $sigHash = (Get-Content $Env:HomePath\Downloads\mongodb-bi-win32-x86_64-{version}.msi.sha256 | Out-String).SubString(0,64).ToUpper(); `
+        $fileHash = (Get-FileHash $Env:HomePath\Downloads\mongodb-bi-win32-x86_64-{version}.msi).Hash.Trim(); `
+        echo $sigHash; echo $fileHash; `
+        $sigHash -eq $fileHash
+
+     The command outputs three lines:
+
+     - A SHA256 hash that you downloaded directly from MongoDB.
+     - A SHA256 hash computed from the MongoDB binary you downloaded from MongoDB.
+     - A True or False result depending if the hashes match.
+
+     If the hashes match, the MongoDB binary is verified.
+---
+stepnum: 3
 title: Install the |bi|.
 ref: install-bi-windows
 level: 4
