Navigation
You were redirected from a different version of the documentation. Click here to go back.

Verify Integrity of Ops Manager Packages

Starting in Ops Manager 4.4.14, the MongoDB release team digitally signs Ops Manager packages to certify that they are valid and unaltered MongoDB releases. Before installing Ops Manager, validate the package using the provided PGP signature.

PGP signatures provide the strongest guarantees by checking both the authenticity and integrity of a file to prevent tampering.

Verify a deb Package

1

Download the latest version of the Ops Manager package.

  1. Open your preferred browser to visit the MongoDB Download Center on MongoDB.com.

    If you start on MongoDB.com instead of following the link above, click Get MongoDB, then select Ops Manager from the Tools menu.

  2. From the Platforms drop-down menu, click Ubuntu 18.04.

  3. From the Packages drop-down menu, click DEB for x86_64 architecture.

  4. Click Download.

    The downloaded package is named mongodb-mms-<version>.x86_64.deb, where <version> is the version number.

2

Use cURL to download the public key file from MongoDB.

curl -O https://www.mongodb.org/static/pgp/opsmanager-4.4.asc
3

Use cURL to download the public signature file from MongoDB.

In the following command, replace <version> with the version of the Ops Manager package.

curl -O https://downloads.mongodb.com/on-prem-mms/deb/mongodb-mms-<version>_x86_64.deb.sig
4

Import the public key.

gpg --import opsmanager-4.4.asc
5

Verify the Ops Manager package integrity.

In the following command, replace <version> with the version of the Ops Manager package.

gpg --verify mongodb-mms-<version>_x86_64.deb.sig \
    mongodb-mms-<version>_x86_64.deb

When the package is successfully verified, you receive a response like the following:

gpg: Signature made Wed Jun 23 15:44:30 2021 UTC
gpg:                using RSA key 056AB6A90E47FE40
gpg: Good signature from "Ops Manager 4.4 Release Signing Key <packaging@mongodb.com>" [unknown]

If the package is properly signed, but you don’t currently trust the signing key in your local trustdb, gpg also returns the following message:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D657 EF0E F51C 41B7 AE11  1CAF 056A B6A9 0E47 FE40

Verify an rpm Package

1

Download the latest version of the Ops Manager package.

  1. Open your preferred browser to visit the MongoDB Download Center on MongoDB.com.

    If you start on MongoDB.com instead of following the link above, click Get MongoDB, then select Ops Manager from the Tools menu.

  2. From the Platforms drop-down menu, click one of the following options:

    • Red Hat + CentOS 6, 7, 8 / SUSE 12 + 15 / Amazon Linux
    • Red Hat 7 (ppc64le) (stable releases only)
    • Red Hat 8 (ppc64le) (stable releases only)
  3. From the Packages drop-down menu, click RPM for x86_64 architecture or RPM (PPC64LE) for ppc64le architecture (RHEL 7 and 8 only) (stable releases only).

  4. Click Download.

    The downloaded package is named mongodb-mms-<version>.x86_64.rpm, where <version> is the version number.

2

Use cURL to download the public key file from MongoDB.

curl -O https://www.mongodb.org/static/pgp/opsmanager-4.4.asc
3

Import the public key.

sudo rpm --import opsmanager-4.4.asc
4

Verify the Ops Manager package integrity.

In the following command, replace:

  • <version> with the version of the Ops Manager package.
  • <architecture> with the CPU architecture for the package. This value must be either: x86_64 or ppc64le (RHEL 7 and 8 only).
sudo rpm -K mongodb-mms-<version>.<architecture>.rpm

When the package is successfully verified, you receive a response like the following:

mongodb-mms-<version.arch>.rpm: rsa sha1 (md5) pgp md5 OK

Verify a tar.gz Archive

1

Download the latest version of the Ops Manager archive.

  1. Open your preferred browser to visit the MongoDB Download Center on MongoDB.com.

    If start from MongoDB.com, lick Software arrow right icon Ops Manager arrow right icon Try it now.

  2. From the Version drop-down menu, click one of the provided stable versions.

  3. From the Platform drop-down menu, click one of the following options:

    • Red Hat + CentOS 6, 7, 8 / SUSE 12 + 15 / Amazon Linux 2
    • Red Hat 7 (ppc64le)
    • Debian 9, 10 / Ubuntu 18.04
  4. From the Package drop-down menu, click tar.gz for x86_64 architecture or tar.gz (ppc64le) for ppc64le architecture. (stable releases only)

  5. Click Download.

    The downloaded package is named mongodb-mms-<version>.x86_64.tar.gz, where <version> is the version number.

2

Use cURL to download the public key file from MongoDB.

curl -O https://www.mongodb.org/static/pgp/opsmanager-4.4.asc
3

Use cURL to download the public signature file from MongoDB.

In the following command, replace:

  • <version> with the version of the Ops Manager package.
  • <architecture> with the CPU architecture for the package. This value must be either: x86_64 or ppc64le (RHEL 7 and 8 only).
curl -O https://downloads.mongodb.com/on-prem-mms/tar/mongodb-mms-<version>.<architecture>.tar.gz.sig
4

Import the public key.

gpg --import opsmanager-4.4.asc
5

Verify the Ops Manager package integrity.

In the following command, replace:

  • <version> with the version of the Ops Manager package.
  • <architecture> with the CPU architecture for the package. This value must be either: x86_64 or ppc64le (RHEL 7 and 8 only).
gpg --verify mongodb-mms-<version>.<architecture>.tar.gz.sig \
    mongodb-mms-<version>.<architecture>.tar.gz

When the package is successfully verified, you receive a response like the following:

gpg: Signature made Wed Jun 23 15:44:30 2021 UTC
gpg:                using RSA key 056AB6A90E47FE40
gpg: Good signature from "Ops Manager 4.4 Release Signing Key <packaging@mongodb.com>" [unknown]

If the package is properly signed, but you don’t currently trust the signing key in your local trustdb, gpg also returns the following message:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D657 EF0E F51C 41B7 AE11  1CAF 056A B6A9 0E47 FE40