From a4189c7348ae077908b4d34ae1e31a7e77c7e2e3 Mon Sep 17 00:00:00 2001 From: Andrew Aldridge Date: Wed, 27 May 2015 10:50:12 -0400 Subject: [PATCH] DOCS-5411: use HTTPS download links --- source/includes/release-base.yaml | 4 +- ...s-install-mongodb-enterprise-on-linux.yaml | 2 +- ...ps-install-mongodb-enterprise-on-suse.yaml | 4 +- .../steps-install-mongodb-on-debian.yaml | 2 +- .../steps-install-mongodb-on-red-hat.yaml | 2 +- .../steps-install-mongodb-on-suse.yaml | 2 +- .../steps-install-mongodb-on-ubuntu.yaml | 2 +- .../steps-install-verify-files-md5.yaml | 64 ----------------- .../steps-install-verify-files-pgp.yaml | 29 ++++---- .../steps-install-verify-files-sha.yaml | 68 ++++++------------- source/tutorial/verify-mongodb-packages.txt | 47 ++++--------- 11 files changed, 56 insertions(+), 170 deletions(-) delete mode 100644 source/includes/steps-install-verify-files-md5.yaml diff --git a/source/includes/release-base.yaml b/source/includes/release-base.yaml index d15ff88ed1e..d64172af387 100644 --- a/source/includes/release-base.yaml +++ b/source/includes/release-base.yaml @@ -1,7 +1,7 @@ ref: _curl-release language: 'sh' code: | - curl -O http://downloads.mongodb.org/{{platform}}/mongodb-{{platform}}-{{builder}}-{{version}}.tgz + curl -O https://fastdl.mongodb.org/{{platform}}/mongodb-{{platform}}-{{builder}}-{{version}}.tgz --- ref: _copy-release language: 'sh' @@ -17,7 +17,7 @@ code: | ref: _curl-release-ent language: 'sh' code: | - curl -O http://downloads.10gen.com/{{platform}}/mongodb-{{platform}}-{{builder}}-enterprise-{{distro}}-{{version}}.tgz + curl -O https://downloads.mongodb.com/{{platform}}/mongodb-{{platform}}-{{builder}}-enterprise-{{distro}}-{{version}}.tgz tar -zxvf mongodb-{{platform}}-{{builder}}-enterprise-{{distro}}-{{version}}.tgz cp -R -n mongodb-{{platform}}-{{builder}}-enterprise-{{distro}}-{{version}}/ mongodb ... diff --git a/source/includes/steps-install-mongodb-enterprise-on-linux.yaml b/source/includes/steps-install-mongodb-enterprise-on-linux.yaml index a85c36afad6..1e0c4af809c 100644 --- a/source/includes/steps-install-mongodb-enterprise-on-linux.yaml +++ b/source/includes/steps-install-mongodb-enterprise-on-linux.yaml @@ -8,7 +8,7 @@ ref: sequence pre: | After you have installed the required prerequisite packages, download and install the MongoDB Enterprise packages from - ``_. The MongoDB + ``_. The MongoDB binaries are located in the ``bin/`` directory of the archive. To download and install, use the following sequence of commands. --- diff --git a/source/includes/steps-install-mongodb-enterprise-on-suse.yaml b/source/includes/steps-install-mongodb-enterprise-on-suse.yaml index 77b3c852412..83991d9eb34 100644 --- a/source/includes/steps-install-mongodb-enterprise-on-suse.yaml +++ b/source/includes/steps-install-mongodb-enterprise-on-suse.yaml @@ -8,7 +8,7 @@ action: Use the following command to specify the latest stable release of MongoDB. language: sh code: | - sudo zypper addrepo --no-gpgcheck http://repo.mongodb.com/zypper/suse/11/mongodb-enterprise/stable/x86_64/ mongodb + sudo zypper addrepo --no-gpgcheck https://repo.mongodb.com/zypper/suse/11/mongodb-enterprise/stable/x86_64/ mongodb - pre: | If you'd like to install MongoDB packages from a previous :ref:`release series `, such as 2.6, you can @@ -17,7 +17,7 @@ action: use the following command: language: sh code: | - sudo zypper addrepo --no-gpgcheck http://repo.mongodb.com/zypper/suse/11/mongodb-enterprise/2.6/x86_64/ mongodb + sudo zypper addrepo --no-gpgcheck https://repo.mongodb.com/zypper/suse/11/mongodb-enterprise/2.6/x86_64/ mongodb --- title: Install the MongoDB packages and associated tools. stepnum: 2 diff --git a/source/includes/steps-install-mongodb-on-debian.yaml b/source/includes/steps-install-mongodb-on-debian.yaml index 0ba217acc62..a00e6138411 100644 --- a/source/includes/steps-install-mongodb-on-debian.yaml +++ b/source/includes/steps-install-mongodb-on-debian.yaml @@ -4,7 +4,7 @@ ref: import-key action: pre: | Issue the following command to add the `MongoDB public GPG Key - `_ to the system key ring. + `_ to the system key ring. language: sh code: | sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 7F0CEB10 diff --git a/source/includes/steps-install-mongodb-on-red-hat.yaml b/source/includes/steps-install-mongodb-on-red-hat.yaml index 1cd89c50ffd..a1f761d4e93 100644 --- a/source/includes/steps-install-mongodb-on-red-hat.yaml +++ b/source/includes/steps-install-mongodb-on-red-hat.yaml @@ -12,7 +12,7 @@ action: code: | [mongodb-org-3.0] name=MongoDB Repository - baseurl=http://repo.mongodb.org/yum/{{distro_name}}/{{distro_release}}/mongodb-org/3.0/x86_64/ + baseurl=https://repo.mongodb.org/yum/{{distro_name}}/{{distro_release}}/mongodb-org/3.0/x86_64/ gpgcheck=0 enabled=1 - pre: | diff --git a/source/includes/steps-install-mongodb-on-suse.yaml b/source/includes/steps-install-mongodb-on-suse.yaml index ffac1da0573..0c3a4e6e143 100644 --- a/source/includes/steps-install-mongodb-on-suse.yaml +++ b/source/includes/steps-install-mongodb-on-suse.yaml @@ -8,7 +8,7 @@ action: Use the following command to specify the *latest* stable release of MongoDB. language: sh code: | - zypper addrepo --no-gpgcheck http://repo.mongodb.org/zypper/suse/11/mongodb-org/3.0/x86_64/ mongodb + zypper addrepo --no-gpgcheck https://repo.mongodb.org/zypper/suse/11/mongodb-org/3.0/x86_64/ mongodb - pre: | This repository only offers the ``3.0`` MongoDB release. If you'd like to install MongoDB packages from a previous :ref:`release diff --git a/source/includes/steps-install-mongodb-on-ubuntu.yaml b/source/includes/steps-install-mongodb-on-ubuntu.yaml index 34c86bdbd72..74873df29a9 100644 --- a/source/includes/steps-install-mongodb-on-ubuntu.yaml +++ b/source/includes/steps-install-mongodb-on-ubuntu.yaml @@ -6,7 +6,7 @@ action: The Ubuntu package management tools (i.e. ``dpkg`` and ``apt``) ensure package consistency and authenticity by requiring that distributors sign packages with GPG keys. Issue the following command to import the - `MongoDB public GPG Key `_: + `MongoDB public GPG Key `_: language: sh code: | sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7F0CEB10 diff --git a/source/includes/steps-install-verify-files-md5.yaml b/source/includes/steps-install-verify-files-md5.yaml deleted file mode 100644 index 8efe120a13a..00000000000 --- a/source/includes/steps-install-verify-files-md5.yaml +++ /dev/null @@ -1,64 +0,0 @@ -title: Download the MongoDB installation file. -stepnum: 1 -ref: download-install-file -pre: | - Download the binaries from ``https://www.mongodb.org/downloads`` - based on your environment. - - For example, to download the ``2.6.0`` release for OS X through the - shell, type this command: -action: - language: sh - code: | - curl -LO http://downloads.mongodb.org/osx/mongodb-osx-x86_64-2.6.0.tgz ---- -title: Download the MD5 file. -stepnum: 2 -ref: download-md5-file -action: - language: sh - code: | - curl -LO http://downloads.mongodb.org/osx/mongodb-osx-x86_64-2.6.0.tgz.md5 ---- -title: Verify the checksum values for the MongoDB package file (Linux). -stepnum: 3 -ref: verify-install-file-linux -action: - - pre: | - Compute the checksum of the package file: - language: sh - code: | - md5 mongodb-linux-x86_64-2.6.0.tgz - - pre: | - which will generate this result: - language: sh - code: | - MD5 (mongodb-linux-x86_64-2.6.0.tgz) = a937d49881f90e1a024b58d642011dc4 - - pre: | - Enter this command: - language: sh - code: | - cat mongodb-linux-x86_64-2.6.0.tgz.md5 - - pre: | - which will generate this result: - language: sh - code: | - a937d49881f90e1a024b58d642011dc4 - - post: | - The output of the ``md5`` and ``cat`` commands should be identical. ---- -title: Verify the MongoDB installation file (OS X). -stepnum: 4 -ref: verify-install-file-osx -action: - - pre: | - Compute the checksum of the package file: - language: sh - code: | - md5sum -c mongodb-osx-x86_64-2.6.0.tgz.md5 mongodb-osx-x86_64-2.6.0.tgz - - pre: | - which will generate this result: - language: sh - code: | - mongodb-osx-x86_64-2.6.0-rc1.tgz ok -... diff --git a/source/includes/steps-install-verify-files-pgp.yaml b/source/includes/steps-install-verify-files-pgp.yaml index 7ed80b53462..41c14a17fbb 100644 --- a/source/includes/steps-install-verify-files-pgp.yaml +++ b/source/includes/steps-install-verify-files-pgp.yaml @@ -6,11 +6,11 @@ action: Download the binaries from ``https://www.mongodb.org/downloads`` based on your environment. - For example, to download the ``2.6.0`` release for OS X through the + For example, to download the ``3.0.3`` release for OS X through the shell, type this command: language: sh code: | - curl -LO http://downloads.mongodb.org/osx/mongodb-osx-x86_64-2.6.0.tgz + curl -LO https://fastdl.mongodb.org/osx/mongodb-osx-x86_64-3.0.3.tgz --- title: Download the public signature file. stepnum: 2 @@ -18,23 +18,24 @@ ref: download-sig-file action: language: sh code: | - curl -LO http://downloads.mongodb.org/osx/mongodb-osx-x86_64-2.6.0.tgz.sig + curl -LO https://fastdl.mongodb.org/osx/mongodb-osx-x86_64-3.0.3.tgz.sig --- title: Download then import the key file. stepnum: 3 ref: download-key-file action: - pre: | - If you have not downloaded and imported the key file, enter these commands: + If you have not downloaded and imported the MongoDB 2.8/3.0 public key, + enter these commands: language: sh code: | - curl -LO https://www.mongodb.org/static/pgp/server-2.6.asc - gpg --import server-2.6.asc + curl -LO https://www.mongodb.org/static/pgp/server-2.8.asc + gpg --import server-2.8.asc - pre: | You should receive this message: language: sh code: | - gpg: key AAB2461C: public key "MongoDB 2.6 Release Signing Key " imported + gpg: key 857FD301: public key "MongoDB 2.8 Release Signing Key " imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) --- @@ -46,19 +47,19 @@ action: Type this command: language: sh code: | - gpg --verify mongodb-osx-x86_64-2.6.0.tgz.sig mongodb-osx-x86_64-2.6.0.tgz + gpg --verify mongodb-osx-x86_64-3.0.3.tgz.sig mongodb-osx-x86_64-3.0.3.tgz - pre: | You should receive this message: language: sh code: | - gpg: Signature made Thu Mar 6 15:11:28 2014 EST using RSA key ID AAB2461C - gpg: Good signature from "MongoDB 2.6 Release Signing Key " + gpg: Signature made Tue 12 May 2015 11:29:21 AM EDT using RSA key ID 857FD301 + gpg: Good signature from "MongoDB 2.8 Release Signing Key " [unknown] - pre: | - Download and import the key file, as described above, if you receive a - message like this one: + If you receive a message such as the following, confirm that you imported + the correct public key: language: sh code: | - gpg: Signature made Thu Mar 6 15:11:28 2014 EST using RSA key ID AAB2461C + gpg: Signature made Tue 12 May 2015 11:29:21 AM EDT using RSA key ID 857FD301 gpg: Can't check signature: public key not found - pre: | ``gpg`` will return the following message if the package is @@ -68,5 +69,5 @@ action: code: | gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. - Primary key fingerprint: DFFA 3DCF 326E 302C 4787 673A 01C4 E7FA AAB2 461C + Primary key fingerprint: BDC0 DB28 022D 7DEA 1490 DC3E 7085 801C 857F D301 ... diff --git a/source/includes/steps-install-verify-files-sha.yaml b/source/includes/steps-install-verify-files-sha.yaml index ea7af2ffddf..e7a0b26f410 100644 --- a/source/includes/steps-install-verify-files-sha.yaml +++ b/source/includes/steps-install-verify-files-sha.yaml @@ -1,16 +1,24 @@ -inherit: - file: steps-install-verify-files-md5.yaml - ref: download-install-file +title: Download the MongoDB installation file. stepnum: 1 +ref: download-install-file +pre: | + Download the binaries from ``https://www.mongodb.org/downloads`` + based on your environment. + + For example, to download the ``3.0.3`` release for OS X through the + shell, type this command: +action: + language: sh + code: | + curl -LO https://fastdl.mongodb.org/osx/mongodb-osx-x86_64-3.0.3.tgz --- -title: Download the SHA1 and SHA256 file. +title: Download the SHA256 file. stepnum: 2 ref: download-sha-file action: language: sh code: | - curl -LO http://downloads.mongodb.org/osx/mongodb-osx-x86_64-2.6.3.tgz.sha1 - curl -LO http://downloads.mongodb.org/osx/mongodb-osx-x86_64-2.6.3.tgz.sha256 + curl -LO https://fastdl.mongodb.org/osx/mongodb-osx-x86_64-3.0.3.tgz.sha256 --- title: Use the SHA-256 checksum to verify the MongoDB package file. stepnum: 3 @@ -20,49 +28,11 @@ action: Compute the checksum of the package file: language: sh code: | - shasum mongodb-linux-x86_64-2.6.3.tgz - - pre: | - which will generate this result: - language: sh - code: | - fe511ee40428edda3a507f70d2b91d16b0483674 mongodb-osx-x86_64-2.6.3.tgz - - pre: | - Enter this command: - language: sh - code: | - cat mongodb-linux-x86_64-2.6.3.tgz.sha1 - - pre: | - which will generate this result: - language: sh - code: | - fe511ee40428edda3a507f70d2b91d16b0483674 mongodb-osx-x86_64-2.6.3.tgz - - post: | - The output of the ``shasum`` and ``cat`` commands should be identical. ---- -title: Use the SHA-1 checksum to verify the MongoDB package file. -stepnum: 3 -ref: verify-install-file-sha1 -action: - - pre: | - Compute the checksum of the package file: - language: sh - code: | - shasum -a 256 mongodb-linux-x86_64-2.6.3.tgz - - pre: | - which will generate this result: - language: sh - code: | - be3a5e9f4e9c8e954e9af7053776732387d2841a019185eaf2e52086d4d207a3 mongodb-osx-x86_64-2.6.3.tgz - - pre: | - Enter this command: - language: sh - code: | - cat mongodb-linux-x86_64-2.6.3.tgz.sha256 + shasum -c mongodb-osx-x86_64-3.0.3.tgz.sha256 - pre: | - which will generate this result: + which should return the following if the checksum matched the downloaded + package: language: sh code: | - be3a5e9f4e9c8e954e9af7053776732387d2841a019185eaf2e52086d4d207a3 mongodb-osx-x86_64-2.6.3.tgz - - post: | - The output of the ``shasum`` and ``cat`` commands should be identical. -... \ No newline at end of file + mongodb-osx-x86_64-3.0.3.tgz: OK +... diff --git a/source/tutorial/verify-mongodb-packages.txt b/source/tutorial/verify-mongodb-packages.txt index 749b5480031..f7b8eecffe0 100644 --- a/source/tutorial/verify-mongodb-packages.txt +++ b/source/tutorial/verify-mongodb-packages.txt @@ -9,32 +9,14 @@ Overview The MongoDB release team digitally signs all software packages to certify that a particular MongoDB package is a valid and unaltered -MongoDB release. +MongoDB release. Before installing MongoDB, you should validate the package +using either the provided PGP signature or SHA-256 checksum. -Before installing MongoDB, you can validate packages using either a PGP -signature or with MD5 and SHA checksums of the MongoDB packages. The PGP -signatures store an encrypted hash of the software package, that you -can validate to ensure that the package you have is consistent with -the official package release. MongoDB also publishes MD5 and SHA hashes of -the official packages that you can use to confirm that you have a -valid package. +PGP signatures provide the strongest guarantees by checking both the +authenticity and integrity of a file to prevent tampering. -Considerations --------------- - -MongoDB signs each release branch with a different PGP key. - -The public ``.asc`` and ``.pub`` key files for each branch are -available for download. For example, the 2.2 keys are available at the -following URLs: - -.. code-block:: ini - - https://www.mongodb.org/static/pgp/server-2.2.asc - https://www.mongodb.org/static/pgp/server-2.2.pub - -Replace ``2.2`` with the appropriate release number to download public -key. Keys are available for all MongoDB releases beginning with 2.2. +Cryptographic checksums only validate file integrity to prevent network +transmission errors. Procedures ---------- @@ -42,17 +24,14 @@ Procedures Use PGP/GPG +++++++++++ -.. include:: /includes/steps/install-verify-files-pgp.rst +MongoDB signs each release branch with a different PGP key. The public key files +for each release branch since MongoDB 2.2 are available for download +from the `key server `_ in both textual +``.asc`` and binary ``.pub`` formats. -Use SHA -+++++++ +.. include:: /includes/steps/install-verify-files-pgp.rst -MongoDB provides checksums using both the SHA-1 and SHA-256 -hash functions. You can use either, as you like. +Use SHA-256 ++++++++++++ .. include:: /includes/steps/install-verify-files-sha.rst - -Use MD5 -+++++++ - -.. include:: /includes/steps/install-verify-files-md5.rst