Skip to content

(DOCS-10909): Added verification for Windows build. #3348

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jun 25, 2018
Merged

(DOCS-10909): Added verification for Windows build. #3348

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4e5d73f
(DOCS-10909): Added verification for Windows build.
Jun 20, 2018
19a628e
Updated per @markbenvenuto review.
Jun 20, 2018
1d48a21
Updated per @jdestefano-mongo review.
Jun 22, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
129 changes: 129 additions & 0 deletions source/includes/steps-install-verify-files-windows.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
title: Download the Sigcheck utility from Microsoft.
stepnum: 1
level: 4
ref: download-sigcheck
content: |
a. Visit the `Sigcheck utility page <https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck>`__.

b. Click the :guilabel:`Download Sigcheck` link.

c. Unzip ``Sigcheck.zip``.

d. Move the Sigcheck directory to an appropriate location on your
Windows host.

For this tutorial, this location is
``$Env:ProgramFiles\Sigcheck``.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a common notation? (I've never seen this before)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also isn't it usually "Program Files" or "Program Files (x86)"? Does this run the risk of confusing readers?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This borrows from the Microsoft Powershell Environment Variables page and the SS64 System Variables page. As I was using Powershell, I wanted to use the variables just in case someone decided to configure their environment differently.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the info 👍

---
title: Download the MongoDB installation file.
stepnum: 2
level: 4
ref: download-install-file
content: |
Download the binaries from ``https://www.mongodb.org/downloads``.

.. example::

To download the ``v3.4-latest`` release for Windows using
Powershell, invoke this command:

.. code-block:: powershell

Invoke-WebRequest -Uri "https://downloads.mongodb.org/win32/mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi" `
-OutFile "$Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi"

---
title: Download the public signature file.
stepnum: 3
level: 4
ref: download-sig-file
content: |
Download the ``md5`` from ``https://www.mongodb.org/downloads``.

.. example::

To download the SHA256 signature for the ``v3.4-latest`` release
for Windows using Powershell, invoke this command:

.. code-block:: powershell

Invoke-WebRequest -Uri "https://downloads.mongodb.org/win32/mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi.sha256" `
-OutFile "$Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi.sha256"
---
title: Verify the signature of the MongoDB installer.
stepnum: 4
level: 4
ref: verify-sig
content: |

Invoke ``Sigcheck``:

.. code-block:: powershell

$Env:ProgramFiles\Sigcheck\sigcheck64.exe `
-h $Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi

.. note::
Click :guilabel:`Agree` to accept the
:abbr:`EULA (End User License Agreement)` when it displays.

``Sigcheck`` returns this verification information for the latest
release of MongoDB 3.4:

.. code-block:: bat
:emphasize-lines: 19

Sigcheck v2.60 - File version and signature viewer
Copyright (C) 2004-2017 Mark Russinovich
Sysinternals - www.sysinternals.com

$Env:HomePath\downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi:
Verified: Signed
Signing date: 12:34 AM 6/20/2018
Publisher: MongoDB, Inc.
Company: n/a
Description: n/a
Product: n/a
Prod version: n/a
File version: n/a
MachineType: n/a
MD5: D7866C013989AEE2FA87774EFFF884F0
SHA1: E5D7D78E8FFFF9CFF3BD605C3407A55F87F4C8DD
PESHA1: E5D7D78E8FFFF9CFF3BD605C3407A55F87F4C8DD
PE256: 8FE0670DF2AB74CCD33910C0AF2F000225BA2ED21330767D95E3F6DED96E6893
SHA256: 8FE0670DF2AB74CCD33910C0AF2F000225BA2ED21330767D95E3F6DED96E6893
IMP: n/a

---
title: Compare the signature file to the MongoDB installer hash.
stepnum: 5
level: 4
ref: download-key-file
content: |

To compare the signature file to the hash of the MongoDB binary,
invoke this Powershell script:

.. code-block:: powershell

$sigHash = (Get-Content $Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi.sha256 | Out-String).SubString(0,64).ToUpper(); `
$fileHash = (Get-FileHash $Env:HomePath\Downloads\mongodb-win32-x86_64-2008plus-ssl-v3.4-latest-signed.msi).Hash.Trim(); `
echo $sigHash; echo $fileHash; `
$sigHash -eq $fileHash

.. code-block:: bat
:emphasize-lines: 1-2

8FE0670DF2AB74CCD33910C0AF2F000225BA2ED21330767D95E3F6DED96E6893
8FE0670DF2AB74CCD33910C0AF2F000225BA2ED21330767D95E3F6DED96E6893
True

The command outputs three lines:

- A ``SHA256`` hash that you downloaded directly from MongoDB.
- A ``SHA256`` hash computed from the MongoDB binary you
downloaded from MongoDB.
- A ``True`` or ``False`` result depending if the hashes match.

If the hashes match, the MongoDB binary is verified.
...
32 changes: 19 additions & 13 deletions source/tutorial/verify-mongodb-packages.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,34 +10,40 @@ Verify Integrity of MongoDB Packages
:depth: 1
:class: singlecol

Overview
--------

The MongoDB release team digitally signs all software packages to
certify that a particular MongoDB package is a valid and unaltered
MongoDB release. Before installing MongoDB, you should validate the package
using either the provided PGP signature or SHA-256 checksum.
MongoDB release. Before installing MongoDB, you should validate the
package using either the provided PGP signature or SHA-256 checksum.

PGP signatures provide the strongest guarantees by checking both the
authenticity and integrity of a file to prevent tampering.

Cryptographic checksums only validate file integrity to prevent network
transmission errors.

Procedures
----------
Verify Linux/macOS Packages
---------------------------

Use PGP/GPG
+++++++++++
~~~~~~~~~~~

MongoDB signs each release branch with a different PGP key. The public key files
for each release branch since MongoDB 2.2 are available for download
from the `key server <https://www.mongodb.org/static/pgp/>`_ in both textual
``.asc`` and binary ``.pub`` formats.
MongoDB signs each release branch with a different PGP key. The public
key files for each release branch since MongoDB 2.2 are available for
download from the `key server <https://www.mongodb.org/static/pgp/>`_
in both textual ``.asc`` and binary ``.pub`` formats.

.. include:: /includes/steps/install-verify-files-pgp.rst

Use SHA-256
+++++++++++
~~~~~~~~~~~

.. include:: /includes/steps/install-verify-files-sha.rst

Verify Windows Packages
-----------------------

This verifies the MongoDB binary against its SHA256 key. This tutorial
uses the latest release of MongoDB Community Edition 3.4, but the
procedure works on all versions and editions.

.. include:: /includes/steps/install-verify-files-windows.rst