DOCSP-40664-verify-signature #686
Conversation
✅ Deploy Preview for docs-cluster-to-cluster-sync ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
| @@ -0,0 +1,4 @@ | |||
| The MongoDB release team digitally signs ``mongosync`` packages to | |||
| certify that packages are a valid and unaltered MongoDB release. Before | |||
There was a problem hiding this comment.
[nit] Should there be a "the" before "packages" ?
| certify that packages are a valid and unaltered MongoDB release. Before | |
| certify that the packages are a valid and unaltered MongoDB release. Before |
There was a problem hiding this comment.
Agreed, updating.
| gpg: Total number processed: 1 | ||
| gpg: imported: 1 | ||
|
|
||
| If you have previously imported the key, the command returns: |
There was a problem hiding this comment.
[praise] thanks for considering this condition!
| gpg: using RSA key D4E45C292A5C94962F0D10E13132835C1D925D5B | ||
| gpg: Good signature from "MongoDB CLI Tools Release Signing Key <[email protected]>" [unknown] | ||
|
|
||
| If the package is signed but the signing key is not added to your |
There was a problem hiding this comment.
[question] What would cause the signing key to not be added to the local trustdb? Is there a case where users import the MDB Server Tools public key and it gets imported elsewhere?
There was a problem hiding this comment.
Marking a key as trusted is a manual action that the person running gpg needs to take. By default, no keys are trusted. How would someone decide whether to trust a particular key? Uh .... you're supposed to meet up with people in person and verify their credentials and have them hand you their key. Seriously!
This is one reason why gpg is not a good choice for this sort signature verification. Long-term, I'd love to see MongoDB move to a different key system that has a better story around trust and verification. The sistore project looks promising, as does GitHub Attestations.
There was a problem hiding this comment.
Ahh gotcha! Wasn't super familiar with verification and whatnot, so this is helpful to know!
* WIP * DOCSP-40664-verify-package-signatures * fixes * edits * fix variable * review feedback (cherry picked from commit 5a55fdb)
* WIP * DOCSP-40664-verify-package-signatures * fixes * edits * fix variable * review feedback (cherry picked from commit 5a55fdb)
* WIP * DOCSP-40664-verify-package-signatures * fixes * edits * fix variable * review feedback (cherry picked from commit 5a55fdb)
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
* WIP * DOCSP-40664-verify-package-signatures * fixes * edits * fix variable * review feedback (cherry picked from commit 5a55fdb)
DESCRIPTION
Add instructions on how to verify mongosync binaries.
STAGING
Verify Integrity of mongosync Packages
(and sub-pages)
JIRA
https://jira.mongodb.org/browse/DOCSP-40664
Self-Review Checklist
External Review Requirements
What's expected of an external reviewer?