DOCSP-45728-verify-packages (#191)

* DOCSP-45728-verify-packages

* build error

* first draft

* fix ref

* fix shell reference

* wording

* rework macos page

* title tweaks

* wording

* nit

Author: jeff-allen-mongo

snooty.toml

@@ -6,6 +6,7 @@ intersphinx = [ "https://www.mongodb.com/docs/manual/objects.inv",
 
 toc_landing_pages = [
    "/installation",
+   "/installation/verify",
    "/bsondump",
    "/mongodump",
    "/mongoexport",
@@ -88,4 +89,4 @@ targets = [
 variant = "warning"
 value = """\
         MongoDB Command Line Database Tool binaries are not supported or tested for use with non-genuine MongoDB deployments. While the tools may work on these deployments, compatibility is not guaranteed.
-        """
+        """

source/includes/verification-gpg-results.rst

@@ -0,0 +1,17 @@
+If the key imports successfully, the command returns:
+
+.. code-block:: sh
+   :copyable: false
+
+   gpg: key 3132835C1D925D5B: public key "MongoDB CLI Tools Release Signing Key <[email protected]>" imported
+   gpg: Total number processed: 1
+   gpg:               imported: 1
+
+If you have previously imported the key, the command returns:
+
+.. code-block:: sh
+   :copyable: false
+
+   gpg: key 3132835C1D925D5B: "MongoDB CLI Tools Release Signing Key <[email protected]>" not changed
+   gpg: Total number processed: 1
+   gpg:              unchanged: 1

source/includes/verify-signatures-before-you-begin.rst

@@ -0,0 +1,3 @@
+If you don't have the MongoDB Database Tools installed, download the
+Database Tools binaries from the `Download Center
+<https://www.mongodb.com/try/download/database-tools?jmp=docs>`__.

source/includes/verify-signatures-intro.rst

@@ -0,0 +1,4 @@
+The MongoDB release team digitally signs Database Tools packages to
+certify that packages are a valid and unaltered MongoDB release. Before
+you install the Database Tools, you can use the digital signature to
+validate the package.

source/installation.txt

@@ -76,4 +76,4 @@ platforms:
    Install on Linux </installation/installation-linux>
    Install on macOS </installation/installation-macos>
    Install on Windows </installation/installation-windows>
-   
+   Verify Packages </installation/verify>

source/installation/verify.txt

@@ -0,0 +1,36 @@
+.. _db-tools-verify-packages:
+
+===========================================
+Verify Integrity of Database Tools Packages
+===========================================
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+.. include:: /includes/verify-signatures-intro.rst
+
+To learn how to verify Database Tools packages, see the corresponding
+page for your verification method:
+
+- :ref:`db-tools-verify-signatures-macos`
+
+- :ref:`db-tools-verify-signatures-gpg`
+
+- :ref:`db-tools-verify-signatures-rpm`
+
+- :ref:`db-tools-verify-signatures-windows`
+
+.. toctree::
+   :titlesonly:
+
+   macOS </installation/verify/macos>
+   Linux </installation/verify/gpg>
+   RHEL </installation/verify/rpm>
+   Windows </installation/verify/windows>

source/installation/verify/gpg.txt

@@ -0,0 +1,89 @@
+.. _db-tools-verify-signatures-gpg:
+
+================================
+Verify Packages with GPG (Linux)
+================================
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+.. include:: /includes/verify-signatures-intro.rst
+
+This page describes how to use GPG to verify Linux packages.
+
+Before you Begin
+----------------
+
+.. include:: /includes/verify-signatures-before-you-begin.rst
+
+Steps
+-----
+
+.. procedure::
+   :style: normal
+
+   .. step:: Import the MongoDB Database Tools public key
+
+      .. code-block:: sh
+
+         curl https://pgp.mongodb.com/server-Tools.asc | gpg --import
+
+      .. include:: /includes/verification-gpg-results.rst
+
+   .. step:: Download the MongoDB Database Tools public signature
+
+      To download the Database Tools public signature, run the following
+      command, replacing the placeholder values with your platform,
+      architecture, and Database Tools version:
+
+      .. code-block:: sh
+
+         curl -LO https://s3.amazonaws.com/downloads.mongodb.org/tools/db/mongodb-database-tools-<platform>-<architecture>-<version>.tgz.sig
+         
+      .. example::
+
+         The following URL contains the signature file for Database
+         Tools on Amazon Linux 2, version {+release+}:
+
+         ``https://s3.amazonaws.com/downloads.mongodb.org/tools/db/mongodb-database-tools-amazon2-x86_64-{+release+}.tgz.sig``
+
+   .. step:: Verify the package
+
+      .. code-block:: sh
+
+         gpg --verify <path_to_signature_file> <path_to_db_tools_executable>
+
+      If the package is signed by MongoDB, the command returns:
+      
+      .. code-block:: sh
+         :copyable: false
+
+         gpg: Signature made Wed 19 Feb 2025 02:19:15 PM EST
+         gpg:                using RSA key D4E45C292A5C94962F0D10E13132835C1D925D5B
+         gpg: Good signature from "MongoDB CLI Tools Release Signing Key <[email protected]>" [unknown]
+         
+      If the package is signed but the signing key is not added to your
+      local ``trustdb``, the command returns:
+
+      .. code-block:: sh
+         :copyable: false
+
+         gpg: WARNING: This key is not certified with a trusted signature!
+         gpg:          There is no indication that the signature belongs to the owner.
+         
+      If the package is not properly signed, the command returns an
+      error message:
+
+      .. code-block:: sh
+         :copyable: false
+
+         gpg: Signature made Wed 19 Feb 2025 02:19:15 PM EST
+         gpg:                using RSA key D4E45C292A5C94962F0D10E13132835C1D925D5B
+         gpg: BAD signature from "MongoDB CLI Tools Release Signing Key <[email protected]>" [unknown]

source/installation/verify/macos.txt

@@ -0,0 +1,52 @@
+.. _db-tools-verify-signatures-macos:
+
+=====================
+Verify macOS Binaries
+=====================
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+.. include:: /includes/verify-signatures-intro.rst
+
+The Database Tools ``.zip`` download for macOS is notarized. This page
+describes how to use ``codesign`` to verify the integrity of individual
+Database Tools binaries.
+
+Before you Begin
+----------------
+
+.. include:: /includes/verify-signatures-before-you-begin.rst
+
+Steps
+-----
+
+To verify a Database Tools binary, run:
+
+.. code-block:: sh
+
+   codesign -dv --verbose=4 <path_to_binary>
+
+For example, the following command verifies the ``mongorestore`` binary
+in the ``/usr/local/bin/`` folder:
+
+.. code-block:: sh
+
+   codesign -dv --verbose=4 /usr/local/bin/mongorestore
+
+If the binary is signed by MongoDB, the output includes the following
+information:
+
+.. code-block:: sh
+   :copyable: false
+
+   Authority=Developer ID Application: MongoDB, Inc. (4XWMY46275)
+   Authority=Developer ID Certification Authority
+   Authority=Apple Root CA

source/installation/verify/rpm.txt

@@ -0,0 +1,54 @@
+.. _db-tools-verify-signatures-rpm:
+
+==========================
+Verify RPM Packages (RHEL)
+==========================
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+.. include:: /includes/verify-signatures-intro.rst
+
+This page describes how to verify ``.rpm`` packages on RHEL operating
+systems.
+
+Before you Begin
+----------------
+
+.. include:: /includes/verify-signatures-before-you-begin.rst
+
+Steps
+-----
+
+.. procedure::
+   :style: normal
+
+   .. step:: Import the MongoDB Database Tools public key in gpg and rpm
+
+      .. code-block:: sh
+
+         curl https://pgp.mongodb.com/server-Tools.asc | gpg --import
+         
+         rpm --import https://pgp.mongodb.com/server-Tools.asc
+
+      .. include:: /includes/verification-gpg-results.rst
+
+   .. step:: Verify the rpm file
+
+      .. code-block:: sh
+
+         rpm --checksig <path_to_db_tools_rpm_file>
+
+      If the file is signed, the command returns:
+
+      .. code-block:: sh
+         :copyable: false
+
+         <path_to_db_tools_rpm_file> digests signatures OK

source/installation/verify/windows.txt

@@ -0,0 +1,82 @@
+.. _db-tools-verify-signatures-windows:
+
+=======================
+Verify Windows Packages
+=======================
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 2
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+.. include:: /includes/verify-signatures-intro.rst
+
+This page describes how to verify Windows ``.msi`` packages.
+
+Before you Begin
+----------------
+
+.. include:: /includes/verify-signatures-before-you-begin.rst
+
+Steps
+-----
+
+To verify the Database Tools package on Windows, you can use one of these
+methods:
+
+- :ref:`db-tools-verify-signatures-windows-command-line`
+
+- :ref:`db-tools-verify-signatures-windows-check-properties`
+
+.. _db-tools-verify-signatures-windows-command-line:
+
+Verify Packages with PowerShell
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To verify Windows packages with PowerShell, run:
+
+.. code-block:: sh
+
+   powershell Get-AuthenticodeSignature -FilePath <path_to_db_tools_msi>
+   
+If the package is signed, the command returns:
+
+.. code-block:: sh
+   :copyable: false
+
+   SignerCertificate     Status     Path                               
+   -----------------     ------     ----
+   A5BBE2A6DA1D2A...     Valid      <path_to_db_tools_msi>
+   
+.. _db-tools-verify-signatures-windows-check-properties:
+
+Verify Packages by Checking Properties
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. procedure::
+   :style: normal
+
+   .. step:: Open the properties for your Database Tools package
+
+   .. step:: Check the package's digital signatures
+
+      In the properties window, open the :guilabel:`Digital Signatures`
+      tab.
+
+      If the package is properly signed, the Embedded Signatures show
+      these properties:
+
+      .. list-table::
+         :header-rows: 1
+      
+         * - Name of signer
+           - Digest algorithm
+           - Timestamp
+         * - MongoDB, Inc.
+           - sha256
+           - <Timestamp>