(DOCSP-38230): Verify Compass signatures (#636)

* (DOCSP-38230): Verify Compass signatures

* fix substitution

* fix toc path

* update release version

* update toc depth

* edits

* WIP

* fix

* WIP GPG instructions

* edit

* finalize gpg page

* add rpm instructions

* add Windows instructions

* add missing refs

* cleanup

* review feedback

* edit

* update snooty.toml

Author: jeff-allen-mongo

snooty.toml

@@ -9,7 +9,8 @@ intersphinx = [
 ]
 
 toc_landing_pages = [
-    "/install", 
+    "/install",
+    "/install/verify-signatures",  
     "/connect",
     "/settings",
     "/settings/config-file",
@@ -30,7 +31,7 @@ toc_landing_pages = [
 
 [constants]
 download-page = "`downloads page <https://www.mongodb.com/try/download/compass>`__"
-current-version = "1.43.0"
+current-version = "1.43.3"
 atlas = "MongoDB Atlas"
 qe = "Queryable Encryption"
 qe-preview = "{+qe+} Public Preview"

source/includes/verification-gpg-results.rst

@@ -0,0 +1,17 @@
+If the key imports successfully, the command returns:
+
+.. code-block:: sh
+    :copyable: false
+
+    gpg: key CEED0419D361CB16: public key "MongoDB Compass Signing Key <[email protected]>" imported
+    gpg: Total number processed: 1
+    gpg:               imported: 1
+
+If you have previously imported the key, the command returns:
+
+.. code-block:: sh
+    :copyable: false
+
+    gpg: key A8130EC3F9F5F923: "MongoDB Compass Signing Key <[email protected]>" not changed
+    gpg: Total number processed: 1
+    gpg:              unchanged: 1

source/includes/verify-signatures-before-you-begin.rst

@@ -0,0 +1,3 @@
+If you don't have |compass| installed, download the |compass| binary
+from the `Download Center
+<https://www.mongodb.com/try/download/compass?jmp=docs>`__.

source/includes/verify-signatures-intro.rst

@@ -0,0 +1,4 @@
+The MongoDB release team digitally signs |compass| packages to certify
+that packages are a valid and unaltered MongoDB release. Before you
+install |compass|, you can use the digital signature to validate the
+package.

source/install.txt

@@ -267,4 +267,5 @@ To download and install |compass|, select your operating system:
    :titlesonly:
 
    /upgrade
+   /install/verify-signatures
    /editions

source/install/verify-signatures.txt

@@ -0,0 +1,36 @@
+.. _verify-signatures-compass:
+
+====================================
+Verify Integrity of Compass Packages
+====================================
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+.. include:: /includes/verify-signatures-intro.rst
+
+To learn how to verify |compass| packages, see the corresponding page
+for your verification method:
+
+- :ref:`compass-verify-signatures-disk-image`
+
+- :ref:`compass-verify-signatures-gpg`
+
+- :ref:`compass-verify-signatures-rpm`
+
+- :ref:`compass-verify-signatures-windows`
+
+.. toctree::
+   :titlesonly:
+
+   /install/verify-signatures/disk-images
+   /install/verify-signatures/gpg
+   /install/verify-signatures/rpm
+   /install/verify-signatures/windows

source/install/verify-signatures/disk-images.txt

@@ -0,0 +1,43 @@
+.. _compass-verify-signatures-disk-image:
+
+============================================
+Verify Packages with Disk Image Verification
+============================================
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+.. include:: /includes/verify-signatures-intro.rst
+
+This page describes how to verify ``.dmg`` packages on macOS.
+
+Before you Begin
+----------------
+
+.. include:: /includes/verify-signatures-before-you-begin.rst
+
+Steps
+-----
+
+To verify the |compass| package, run:
+
+.. code-block:: sh
+
+   codesign -dv --verbose=4 <path_to_compass_executable>
+
+If the package is signed by MongoDB, the output includes the following
+information:
+
+.. code-block:: sh
+   :copyable: false
+
+   Authority=Developer ID Application: MongoDB, Inc. (4XWMY46275)
+   Authority=Developer ID Certification Authority
+   Authority=Apple Root CA

source/install/verify-signatures/gpg.txt

@@ -0,0 +1,90 @@
+.. _compass-verify-signatures-gpg:
+
+========================
+Verify Packages with GPG
+========================
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+.. include:: /includes/verify-signatures-intro.rst
+
+This page describes how to use GPG to verify packages.
+
+Before you Begin
+----------------
+
+.. include:: /includes/verify-signatures-before-you-begin.rst
+
+Steps
+-----
+
+.. procedure::
+   :style: normal
+
+   .. step:: Import the |compass| public key
+
+      .. code-block:: sh
+
+         curl https://pgp.mongodb.com/compass.asc | gpg --import
+
+      .. include:: /includes/verification-gpg-results.rst
+
+   .. step:: Download the |compass| public signature
+
+      To download the |compass| public signature, go to the `Compass
+      Releases <https://github.com/mongodb-js/compass/releases>`__ page
+      on GitHub and download the corresponding ``.sig`` file for your
+      version and variant.
+
+      For example, if you downloaded the
+      ``mongodb-compass-{+current-version+}-darwin-x64.zip`` archive,
+      download the
+      ``mongodb-compass-{+current-version+}-darwin-x64.zip.sig``
+      signature.
+
+      .. note:: 
+         
+         Make sure that you select the correct version in the GitHub
+         releases page when you download the signature.
+
+   .. step:: Verify the package
+
+      .. code-block:: sh
+
+         gpg --verify <path_to_signature_file> <path_to_compass_archive>
+
+      If the package is signed by MongoDB, the command returns:
+      
+      .. code-block:: sh
+         :copyable: false
+
+         gpg: Signature made Mon Jan 22 10:22:53 2024 CET
+         gpg:                using RSA key AB1B92FFBE0D3740425DAD16A8130EC3F9F5F923
+         gpg: Good signature from "MongoDB Compass Signing Key <[email protected]>" [unknown]
+         
+      If the package is signed but the signing key is not added to your
+      local ``trustdb``, the command returns:
+
+      .. code-block:: sh
+         :copyable: false
+
+         gpg: WARNING: This key is not certified with a trusted signature!
+         gpg:          There is no indication that the signature belongs to the owner.
+         
+      If the package is not signed properly, the command returns an
+      error message:
+
+      .. code-block:: sh
+         :copyable: false
+
+         gpg: Signature made Mon Jan 22 10:22:53 2024 CET
+         gpg:                using RSA key AB1B92FFBE0D3740425DAD16A8130EC3F9F5F923
+         gpg: BAD signature from "MongoDB Compass Signing Key <[email protected]>" [unknown]

source/install/verify-signatures/rpm.txt

@@ -0,0 +1,54 @@
+.. _compass-verify-signatures-rpm:
+
+==========================
+Verify RPM Packages (RHEL)
+==========================
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+.. include:: /includes/verify-signatures-intro.rst
+
+This page describes how to verify ``.rpm`` packages on RHEL operating
+systems.
+
+Before you Begin
+----------------
+
+.. include:: /includes/verify-signatures-before-you-begin.rst
+
+Steps
+-----
+
+.. procedure::
+   :style: normal
+
+   .. step:: Import the |compass| public key in gpg and rpm
+
+      .. code-block:: sh
+
+         curl https://pgp.mongodb.com/compass.asc | gpg --import
+         
+         rpm --import https://pgp.mongodb.com/compass.asc
+
+      .. include:: /includes/verification-gpg-results.rst
+
+   .. step:: Verify the rpm file
+
+      .. code-block:: sh
+
+         rpm --checksig <path_to_compass_rpm_file>
+
+      If the file is signed, the command returns:
+
+      .. code-block:: sh
+         :copyable: false
+
+         <path_to_compass_rpm_file> digests signatures OK

source/install/verify-signatures/windows.txt

@@ -0,0 +1,83 @@
+.. _compass-verify-signatures-windows:
+
+=======================
+Verify Windows Packages
+=======================
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 2
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+.. include:: /includes/verify-signatures-intro.rst
+
+This page describes how to verify Windows ``.exe`` and ``.msi``
+packages.
+
+Before you Begin
+----------------
+
+.. include:: /includes/verify-signatures-before-you-begin.rst
+
+Steps
+-----
+
+To verify the |compass| package on Windows, you can use one of these
+methods:
+
+- :ref:`compass-verify-signatures-windows-command-line`
+
+- :ref:`compass-verify-signatures-windows-check-properties`
+
+.. _compass-verify-signatures-windows-command-line:
+
+Verify Packages with PowerShell
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To verify Windows packages with PowerShell, run:
+
+.. code-block:: sh
+
+   powershell Get-AuthenticodeSignature -FilePath <path_to_compass_exe_or_msi>
+   
+If the file is signed, the command returns:
+
+.. code-block:: sh
+   :copyable: false
+
+   SignerCertificate     Status     Path                               
+   -----------------     ------     ----
+   F2D7C28591847B...     Valid      <path_to_compass_exe_or_msi>
+
+.. _compass-verify-signatures-windows-check-properties:
+
+Verify Packages by Checking Properties
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. procedure::
+   :style: normal
+
+   .. step:: Open the properties for your |compass| package
+
+   .. step:: Check the package's digital signatures
+
+      In the properties window, open the :guilabel:`Digital Signatures`
+      tab.
+
+      If the package is properly signed, the Digital Signatures show
+      these properties:
+
+      .. list-table::
+         :header-rows: 1
+      
+         * - Name of signer
+           - Digest algorithm
+           - Timestamp
+         * - MONGODB, INC.
+           - sha256
+           - <Timestamp>