The MongoDB release team digitally signs MongoDB Compass packages to certify that packages are a valid and unaltered MongoDB release. Before you install MongoDB Compass, you can use the digital signature to validate the package.MongoDB发布团队对MongoDB Compass包进行数字签名,以证明该包是有效且未更改的MongoDB版本。在安装MongoDB Compass之前,您可以使用数字签名来验证包。
This page describes how to use GPG to verify packages.本页介绍如何使用GPG验证包。
Before you Begin开始之前
If you don't have MongoDB Compass installed, download the MongoDB Compass binary from the Download Center.如果您没有安装MongoDB Compass,请从下载中心下载MongoDB Compass二进制文件。
Steps步骤
Import the MongoDB Compass public key导入MongoDB Compass公钥
curl https://pgp.mongodb.com/compass.asc | gpg --importIf the key imports successfully, the command returns:如果键导入成功,则命令返回:
gpg: key CEED0419D361CB16: public key "MongoDB Compass Signing Key <compass@mongodb.com>" imported
gpg: Total number processed: 1
gpg: imported: 1If you have previously imported the key, the command returns:如果您之前已导入键,则命令返回:
gpg: key A8130EC3F9F5F923: "MongoDB Compass Signing Key <compass@mongodb.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1Download the MongoDB Compass public signature下载MongoDB Compass公共签名
To download the MongoDB Compass public signature, go to the Compass Releases page on GitHub and download the corresponding 要下载MongoDB Compass公共签名,请转到GitHub上的Compass发布页面,下载您的版本和变体的相应.sig file for your version and variant..sig文件。
For example, if you downloaded the 例如,如果您下载了mongodb-compass-1.46.10-darwin-x64.zip archive, download the mongodb-compass-1.46.10-darwin-x64.zip.sig signature.mongodb-compass-1.46.10-darwin-x64.zip存档,请下载mongodb-compass-1.46.10-darwin-x64.zip.sig签名。
Note
Make sure that you select the correct version in the GitHub releases page when you download the signature.下载签名时,请确保在GitHub发布页面中选择正确的版本。
Verify the package验证包裹
gpg --verify <path_to_signature_file> <path_to_compass_archive>If the package is signed by MongoDB, the command returns:如果包由MongoDB签名,则命令返回:
gpg: Signature made Mon Jan 22 10:22:53 2024 CET
gpg: using RSA key AB1B92FFBE0D3740425DAD16A8130EC3F9F5F923
gpg: Good signature from "MongoDB Compass Signing Key <compass@mongodb.com>" [unknown]If the package is signed but the signing key is not added to your local 如果包已签名,但签名键未添加到本地trustdb, the command returns:trustdb(信任数据库)中,则命令返回:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.If the package is not signed properly, the command returns an error message:如果包没有正确签名,该命令将返回错误消息:
gpg: Signature made Mon Jan 22 10:22:53 2024 CET
gpg: using RSA key AB1B92FFBE0D3740425DAD16A8130EC3F9F5F923
gpg: BAD signature from "MongoDB Compass Signing Key <compass@mongodb.com>" [unknown]