From 4e5d73fee10ba2f139dcb46be014e61769fbb37a Mon Sep 17 00:00:00 2001 From: Anthony Sansone Date: Wed, 20 Jun 2018 01:14:54 -0500 Subject: [PATCH 1/3] (DOCS-10909): Added verification for Windows build. --- .../steps-install-verify-files-windows.yaml | 125 ++++++++++++++++++ source/tutorial/verify-mongodb-packages.txt | 31 +++-- 2 files changed, 143 insertions(+), 13 deletions(-) create mode 100644 source/includes/steps-install-verify-files-windows.yaml diff --git a/source/includes/steps-install-verify-files-windows.yaml b/source/includes/steps-install-verify-files-windows.yaml new file mode 100644 index 00000000000..9958ddea92c --- /dev/null +++ b/source/includes/steps-install-verify-files-windows.yaml @@ -0,0 +1,125 @@ +title: Download the Signature Check utility from Microsoft. +stepnum: 1 +level: 4 +ref: download-sigcheck +content: | + a. Visit the `Sigcheck utility page `__. + + b. Click the :guilabel:`Download Sigcheck` link. + + c. Unzip ``Sigcheck.zip``. + + d. Move the Sigcheck directory to an appropriate location on your + Windows host. + + For this tutorial, this location is + ``$Env:ProgramFiles\Sigcheck``. +--- +title: Download the MongoDB installation file. +stepnum: 2 +level: 4 +ref: download-install-file +content: | + Download the binaries from ``https://www.mongodb.org/downloads``. + + .. example:: + + To download the ``v3.4-latest`` release for Windows using + Powershell, invoke this command: + + .. code-block:: powershell + + Invoke-WebRequest -Uri "https://downloads.mongodb.org/win32/mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi" ` + -OutFile "$Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi" + +--- +title: Download the public signature file. +stepnum: 3 +level: 4 +ref: download-sig-file +content: | + Download the ``md5`` from ``https://www.mongodb.org/downloads``. + + .. example:: + + To download the SHA256 signature for the ``v3.4-latest`` release + for Windows using Powershell, invoke this command: + + .. code-block:: powershell + + Invoke-WebRequest -Uri "https://downloads.mongodb.org/win32/mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi.sha256" ` + -OutFile "$Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi.sha256" +--- +title: Verify the signature of the MongoDB installer. +stepnum: 4 +level: 4 +ref: verify-sig +content: | + + Invoke ``sigcheck``: + + .. code-block:: powershell + + $Env:ProgramFiles\Sigcheck\sigcheck64.exe ` + -h $Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi + + ``sigcheck`` returns this verifcation information for the latest + release of MongoDB 3.4: + + .. code-block:: bat + :emphasize-lines: 19 + + Sigcheck v2.60 - File version and signature viewer + Copyright (C) 2004-2017 Mark Russinovich + Sysinternals - www.sysinternals.com + + $Env:HomePath\downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi: + Verified: Signed + Signing date: 12:34 AM 6/20/2018 + Publisher: MongoDB, Inc. + Company: n/a + Description: n/a + Product: n/a + Prod version: n/a + File version: n/a + MachineType: n/a + MD5: D7866C013989AEE2FA87774EFFF884F0 + SHA1: E5D7D78E8FFFF9CFF3BD605C3407A55F87F4C8DD + PESHA1: E5D7D78E8FFFF9CFF3BD605C3407A55F87F4C8DD + PE256: 8FE0670DF2AB74CCD33910C0AF2F000225BA2ED21330767D95E3F6DED96E6893 + SHA256: 8FE0670DF2AB74CCD33910C0AF2F000225BA2ED21330767D95E3F6DED96E6893 + IMP: n/a + +--- +title: Compare the Signature File to the MongoDB Installer Hash. +stepnum: 5 +level: 4 +ref: download-key-file +content: | + + To compare the signature file to the hash of the MongoDB binary, + invoke this Powershell script: + + .. code-block:: powershell + + $sigHash = (Get-Content $Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi.sha256 | Out-String).SubString(0,64).ToUpper(); ` + $fileHash = (Format-Table -Property Hash -InputObject (Get-FileHash $Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi) -hidetableheaders | Out-String).Trim(); ` + echo $sigHash; echo $fileHash; ` + $sigHash -eq $fileHash + + .. code-block:: bat + :emphasize-lines: 1-2 + + 8FE0670DF2AB74CCD33910C0AF2F000225BA2ED21330767D95E3F6DED96E6893 + 8FE0670DF2AB74CCD33910C0AF2F000225BA2ED21330767D95E3F6DED96E6893 + True + + The command outputs three lines: + + - An SHA256 hash that you downloaded directly from MongoDB. + - An SHA256 hash computed from the MongoDB binary you + downloaded from MongoDB. + - A ``True`` or ``False`` result depending if the hashes match. + + If hashes match, the MongoDB binary is verified. +... diff --git a/source/tutorial/verify-mongodb-packages.txt b/source/tutorial/verify-mongodb-packages.txt index a4ca2780f9d..7c8ab9b54f2 100644 --- a/source/tutorial/verify-mongodb-packages.txt +++ b/source/tutorial/verify-mongodb-packages.txt @@ -10,13 +10,10 @@ Verify Integrity of MongoDB Packages :depth: 1 :class: singlecol -Overview --------- - The MongoDB release team digitally signs all software packages to certify that a particular MongoDB package is a valid and unaltered -MongoDB release. Before installing MongoDB, you should validate the package -using either the provided PGP signature or SHA-256 checksum. +MongoDB release. Before installing MongoDB, you should validate the +package using either the provided PGP signature or SHA-256 checksum. PGP signatures provide the strongest guarantees by checking both the authenticity and integrity of a file to prevent tampering. @@ -24,20 +21,28 @@ authenticity and integrity of a file to prevent tampering. Cryptographic checksums only validate file integrity to prevent network transmission errors. -Procedures ----------- +Verify Linux/macOS Packages +--------------------------- Use PGP/GPG -+++++++++++ +~~~~~~~~~~~ -MongoDB signs each release branch with a different PGP key. The public key files -for each release branch since MongoDB 2.2 are available for download -from the `key server `_ in both textual -``.asc`` and binary ``.pub`` formats. +MongoDB signs each release branch with a different PGP key. The public +key files for each release branch since MongoDB 2.2 are available for +download from the `key server `_ +in both textual ``.asc`` and binary ``.pub`` formats. .. include:: /includes/steps/install-verify-files-pgp.rst Use SHA-256 -+++++++++++ +~~~~~~~~~~~ .. include:: /includes/steps/install-verify-files-sha.rst + +Verify Windows Packages +----------------------- + +This verifies the MongoDB binary against its SHA256 key. This tutorial +uses the latest release of MongoDB Community Edition 3.4. + +.. include:: /includes/steps/install-verify-files-windows.rst From 19a628ec627fca2a8014436ed85713846e00cb6d Mon Sep 17 00:00:00 2001 From: Anthony Sansone Date: Wed, 20 Jun 2018 12:20:03 -0500 Subject: [PATCH 2/3] Updated per @markbenvenuto review. --- source/includes/steps-install-verify-files-windows.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/source/includes/steps-install-verify-files-windows.yaml b/source/includes/steps-install-verify-files-windows.yaml index 9958ddea92c..5871803c89f 100644 --- a/source/includes/steps-install-verify-files-windows.yaml +++ b/source/includes/steps-install-verify-files-windows.yaml @@ -63,7 +63,11 @@ content: | $Env:ProgramFiles\Sigcheck\sigcheck64.exe ` -h $Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi - ``sigcheck`` returns this verifcation information for the latest + .. note:: + Click :guilabel:`Agree` to accept the + :abbr:`EULA (End User License Agreement)` when it displays. + + ``sigcheck`` returns this verification information for the latest release of MongoDB 3.4: .. code-block:: bat @@ -103,7 +107,7 @@ content: | .. code-block:: powershell $sigHash = (Get-Content $Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi.sha256 | Out-String).SubString(0,64).ToUpper(); ` - $fileHash = (Format-Table -Property Hash -InputObject (Get-FileHash $Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi) -hidetableheaders | Out-String).Trim(); ` + $fileHash = (Get-FileHash $Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi).Hash.Trim(); ` echo $sigHash; echo $fileHash; ` $sigHash -eq $fileHash From 1d48a21928f72c052f8808084fac28067007006e Mon Sep 17 00:00:00 2001 From: Anthony Sansone Date: Thu, 21 Jun 2018 21:15:18 -0500 Subject: [PATCH 3/3] Updated per @jdestefano-mongo review. --- .../steps-install-verify-files-windows.yaml | 14 +++++++------- source/tutorial/verify-mongodb-packages.txt | 3 ++- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/source/includes/steps-install-verify-files-windows.yaml b/source/includes/steps-install-verify-files-windows.yaml index 5871803c89f..a40a5556f0c 100644 --- a/source/includes/steps-install-verify-files-windows.yaml +++ b/source/includes/steps-install-verify-files-windows.yaml @@ -1,4 +1,4 @@ -title: Download the Signature Check utility from Microsoft. +title: Download the Sigcheck utility from Microsoft. stepnum: 1 level: 4 ref: download-sigcheck @@ -56,7 +56,7 @@ level: 4 ref: verify-sig content: | - Invoke ``sigcheck``: + Invoke ``Sigcheck``: .. code-block:: powershell @@ -67,7 +67,7 @@ content: | Click :guilabel:`Agree` to accept the :abbr:`EULA (End User License Agreement)` when it displays. - ``sigcheck`` returns this verification information for the latest + ``Sigcheck`` returns this verification information for the latest release of MongoDB 3.4: .. code-block:: bat @@ -95,7 +95,7 @@ content: | IMP: n/a --- -title: Compare the Signature File to the MongoDB Installer Hash. +title: Compare the signature file to the MongoDB installer hash. stepnum: 5 level: 4 ref: download-key-file @@ -120,10 +120,10 @@ content: | The command outputs three lines: - - An SHA256 hash that you downloaded directly from MongoDB. - - An SHA256 hash computed from the MongoDB binary you + - A ``SHA256`` hash that you downloaded directly from MongoDB. + - A ``SHA256`` hash computed from the MongoDB binary you downloaded from MongoDB. - A ``True`` or ``False`` result depending if the hashes match. - If hashes match, the MongoDB binary is verified. + If the hashes match, the MongoDB binary is verified. ... diff --git a/source/tutorial/verify-mongodb-packages.txt b/source/tutorial/verify-mongodb-packages.txt index 7c8ab9b54f2..c6925d9e7a7 100644 --- a/source/tutorial/verify-mongodb-packages.txt +++ b/source/tutorial/verify-mongodb-packages.txt @@ -43,6 +43,7 @@ Verify Windows Packages ----------------------- This verifies the MongoDB binary against its SHA256 key. This tutorial -uses the latest release of MongoDB Community Edition 3.4. +uses the latest release of MongoDB Community Edition 3.4, but the +procedure works on all versions and editions. .. include:: /includes/steps/install-verify-files-windows.rst