(DOCSP-36718) Confirm signatures on Atlas CLI packages (#304) (#341)

sarahsimpers · web-flow · commit bbb682ca20ff · 2024-03-28T08:34:57.000-04:00
* (DOCSP-36718) Confirm signatures on Atlas CLI packages * Adds page to TOC and install page * Edits * Adds Docker steps * Adds Windows steps * Release notes, small edits * Updates windows steps * cleanup * Copy review changes * Copy review changes
diff --git a/source/atlas-cli-changelog.txt b/source/atlas-cli-changelog.txt
@@ -76,6 +76,10 @@ Released 8 February 2024
 - Adds support for :ref:`{+avs+} for Local Deployments 
   <atlas-cli-deploy-fts>`.
 - Adds support to rename teams.
+- :ref:`Signs the Linux binaries <verify-packages-linux>` with PGP.
+- :ref:`Signs the Windows binaries <verify-packages-windows>` with
+  garasign.
+- :ref:`Signs the Docker image <verify-packages-docker>` with Cosign.
 
 .. _atlas-cli-1.14.2:
 
diff --git a/source/install-atlas-cli.txt b/source/install-atlas-cli.txt
@@ -21,6 +21,8 @@ Install or Update the {+atlas-cli+}
 Install the {+atlas-cli+} to quickly provision and manage |service|
 {+database-deployments+} from the terminal.
 
+To verify packages before installation, see :ref:`verify-packages`.
+
 Install the {+atlas-cli+}
 -------------------------
 
@@ -637,3 +639,4 @@ Take the Next Steps
    :titlesonly:
 
    /compatibility
+   Verify Packages </verify-packages>
diff --git a/source/verify-packages.txt b/source/verify-packages.txt
@@ -0,0 +1,248 @@
+.. _verify-packages:
+
+==============================================
+Verify the Integrity of {+atlas-cli+} Packages
+==============================================
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+The {+atlas-cli+} release team digitally signs all software packages and
+container images to certify that a particular package is valid and
+unaltered. Before you install the {+atlas-cli+} packages for Linux,
+Windows, or Docker, you should validate the 
+package using the provided PGP signature, SHA-256 checksum, or 
+`Cosign <https://github.com/sigstore/cosign>`__ information.
+
+.. _verify-packages-linux:
+
+Verify Linux Packages
+---------------------
+
+MongoDB signs each release branch with a different PGP key. The public 
+key files for the lastest {+atlas-cli+} release is available for
+download from the `key server <https://pgp.mongodb.com/>`_. 
+
+The following procedure verifies the {+atlas-cli+} package against its 
+PGP key.
+
+.. procedure::
+   :style: normal
+
+   .. step:: Download the {+atlas-cli+} installation file.
+
+      Download the {+atlas-cli+} binaries from the 
+      `MongoDB Download Center
+      <https://www.mongodb.com/try/download/atlascli>`__
+      based on your Linux environment. Click :guilabel:`Copy link` and
+      use the URL in the following instructions.
+
+      For example, to download the ``{+atlas-cli-version+}`` release
+      for Linux through the shell, run the following command:
+
+      .. code-block::
+
+         curl -LO https://fastdl.mongodb.org/mongocli/mongodb-atlas-cli_{+atlas-cli-version+}_linux_x86_64.tar.gz
+
+   .. step:: Download the public signature file.
+
+      Run the following command to download the file:
+
+      .. code-block::
+
+         curl -LO https://fastdl.mongodb.org/mongocli/mongodb-atlas-cli_{+atlas-cli-version+}_linux_x86_64.tar.gz.sig
+
+   .. step:: Download and import the key file.
+
+      Run the following command to download and import the key file:
+
+      .. io-code-block::
+         :copyable: true
+
+         .. input::
+
+            curl -LO https://pgp.mongodb.com/atlas-cli.asc
+            gpg --import atlas-cli.asc
+            
+         .. output::
+
+            gpg: key <key-value-short>: public key "Atlas CLI Release Signing Key <packaging@mongodb.com>" imported
+            gpg: Total number processed: 1
+            gpg:               imported: 1
+
+   .. step:: Verify the {+atlas-cli+} installation file.
+
+      Run the following command to verify the installation file:
+
+      .. io-code-block::
+         :copyable: true
+
+         .. input::
+
+            gpg --verify mongodb-atlas-cli_{+atlas-cli-version+}_linux_x86_64.tar.gz.sig mongodb-atlas-cli_{+atlas-cli-version+}_linux_x86_64.tar.gz
+            
+         .. output::
+
+            gpg: Signature made Thu Mar 14 08:25:00 2024 EDT
+            gpg:                using RSA key <key-value-long>
+            gpg: Good signature from "Atlas CLI Release Signing Key <packaging@mongodb.com>" [unknown]
+
+      If the package is properly signed, but you don't currently trust
+      the signing key, ``gpg`` also returns the following message :
+
+      .. code-block::
+
+         gpg: WARNING: This key is not certified with a trusted signature!
+         gpg:          There is no indication that the signature belongs to the owner.
+
+.. _verify-packages-windows:
+
+Verify Windows Packages
+-----------------------
+
+The following procedure verifies the {+atlas-cli+} package against its 
+SHA-256 key.
+
+.. procedure::
+   :style: normal
+
+   .. step:: Download the {+atlas-cli+} installation file.
+
+      Download the {+atlas-cli+} ``.msi`` or ``.zip`` file from the 
+      `MongoDB Download Center
+      <https://www.mongodb.com/try/download/atlascli>`__ or 
+      `Github <https://github.com/mongodb/mongodb-atlas-cli/releases>`__.
+
+   .. step:: Save the public signature.
+
+      a. Download the ``checksums.txt`` file for the
+         release from `Github 
+         <https://github.com/mongodb/mongodb-atlas-cli/releases>`__,
+         which contains the SHA-256 key for each file. For example, for
+         version {+atlas-cli-version+},
+         download the `{+atlas-cli-version+} checksums.txt file
+         <https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv{+atlas-cli-version+}/checksums.txt>`__.
+      #. Open the ``checksums.txt`` file and copy the text listed to
+         the left of the package you downloaded.
+         For example, if you downloaded ``mongodb-atlas-cli_{+atlas-cli-version+}_windows_x86_64.zip``, 
+         copy the text to the left of
+         ``mongodb-atlas-cli_{+atlas-cli-version+}_windows_x86_64.zip``.
+         This value is the SHA-256 key value.
+      #. Save the SHA-256 key value in a ``.txt`` file named ``atlas-cli-key``
+         in your Downloads folder.
+
+   .. step:: Compare the signature file to the {+atlas-cli+} installer hash.
+
+      Run the Powershell command to verify the package based on the
+      file you downloaded. 
+      
+      If you downloaded 
+      ``mongodb-atlas-cli_{+atlas-cli-version+}_windows_x86_64.zip``,
+      run the following command:
+
+      .. io-code-block::
+         :copyable: true
+
+         .. input::
+
+            $sigHash = (Get-Content $Env:HomePath\Downloads\atlas-cli-key.txt | Out-String).SubString(0,64).ToUpper(); `
+            $fileHash = (Get-FileHash $Env:HomePath\Downloads\mongodb-atlas-cli_{+atlas-cli-version+}_windows_x86_64.zip).Hash.Trim(); `
+            echo $sigHash; echo $fileHash; `
+            $sigHash -eq $fileHash
+
+         .. output::
+
+            <key-value-from-signature-file>
+            <key-value-from-downloaded-package>
+            True
+
+      If you downloaded 
+      ``mongodb-atlas-cli_{+atlas-cli-version+}_windows_x86_64.msi``,
+      run the following command:
+
+      .. io-code-block::
+         :copyable: true
+
+         .. input::
+
+            $sigHash = (Get-Content $Env:HomePath\Downloads\atlas-cli-key.txt | Out-String).SubString(0,64).ToUpper(); `
+            $fileHash = (Get-FileHash $Env:HomePath\Downloads\mongodb-atlas-cli_{+atlas-cli-version+}_windows_x86_64.msi).Hash.Trim(); `
+            echo $sigHash; echo $fileHash; `
+            $sigHash -eq $fileHash
+
+         .. output::
+
+            <key-value-from-signature-file>
+            <key-value-from-downloaded-package>
+            True
+            
+      The command returns the key value from the signature file, the
+      key value from the downloaded package, and ``True`` if the two
+      values match.
+
+      If the two values match, the {+atlas-cli+} binary is verified.
+
+.. _verify-packages-docker:
+
+Verify Docker Container Images
+------------------------------
+
+You can use `Cosign <https://github.com/sigstore/cosign>`__ to verify
+MongoDB's signature for {+atlas-cli+} container images.
+
+To verify MongoDB's container signature, perform the following steps:
+
+.. procedure::
+   :style: normal
+
+   .. step:: Download and install Cosign.
+
+      **Example: MacOS**
+
+      .. code-block::
+
+         brew install cosign
+
+      For full installation instructions, see `Cosign 
+      <https://github.com/sigstore/cosign>`__.
+
+   .. step:: Download the {+atlas-cli+} container image's public key
+
+      .. code-block::
+
+         curl https://cosign.mongodb.com/atlas-cli.pem  > atlas-cli.pem
+
+   .. step:: Verify the signature.
+
+      Run the following command to verify the signature by tag:
+
+      .. io-code-block::
+         :copyable: true
+
+         .. input::
+            
+            COSIGN_REPOSITORY=docker.io/mongodb/signatures cosign verify --private-infrastructure --key=./atlas-cli.pem docker.io/mongodb/atlas:latest
+
+         .. output:: 
+
+            Verification for index.docker.io/mongodb/atlas:latest --
+            The following checks were performed on each of these signatures:
+            - The cosign claims were validated
+            - The signatures were verified against the specified public key
+
+            [{"critical":{"identity":{"docker-reference":"index.docker.io/mongodb/atlas"},"image":{"docker-manifest-digest":"sha256:<key-value>"},"type":"cosign container image signature"},"optional":null}]
+
+
+
+
+
+
