DOCSP-38229 Verify signatures for mongosh (#334)

* WIP

* update toc

* update snooty.coml

* WIP

* edits

* edit

* first draft

* tweak

* edit

* update toc depth

* review edits

* restructure

* remove old files

* update release version

* typo

* add rpm instructions

* update toc depth

* formatting fix

* fix

* standardize

* review feedback

* fix alignment

* fix alignment

* add windows instructions

* move rpm file

* fixes

* add missing ref

* cleanup

* edit

* update toc depth

* wording

* add oses in title and intro

* wording

* fix

* add mongosh to ref names

* fix alignment

* wording

* wording

* fix filenames

* review feedback

Author: jeff-allen-mongo

snooty.toml

@@ -3,7 +3,9 @@ title = "MongoDB Shell"
 
 intersphinx = [ "https://www.mongodb.com/docs/manual/objects.inv" ]
 
-toc_landing_pages = ["/run-commands",
+toc_landing_pages = ["/install",
+                     "/install/verify-signatures",
+                     "/run-commands",
                      "/crud",
                      "/field-level-encryption",
                      "/write-scripts",
@@ -15,7 +17,7 @@ toc_landing_pages = ["/run-commands",
 
 [constants]
 
-version = "2.1.4"
+version = "2.2.10"
 mdb-version = "7.0"
 pgp-version = "{+mdb-version+}"
 atlas = "MongoDB Atlas"

source/includes/verification-gpg-results.rst

@@ -0,0 +1,17 @@
+If the key imports successfully, the command returns:
+
+.. code-block:: sh
+    :copyable: false
+
+    gpg: key CEED0419D361CB16: public key "Mongosh Release Signing Key <[email protected]>" imported
+    gpg: Total number processed: 1
+    gpg:               imported: 1
+
+If you have previously imported the key, the command returns:
+
+.. code-block:: sh
+    :copyable: false
+
+    gpg: key A8130EC3F9F5F923: "Mongosh Release Signing Key <[email protected]>" not changed
+    gpg: Total number processed: 1
+    gpg:              unchanged: 1

source/includes/verify-signatures-before-you-begin.rst

@@ -0,0 +1,3 @@
+If you don't have MongoDB Shell installed, download the MongoDB Shell
+binary from the `Download Center
+<https://www.mongodb.com/try/download/shell?jmp=docs>`__.

source/includes/verify-signatures-intro.rst

@@ -0,0 +1,4 @@
+The MongoDB release team digitally signs MongoDB Shell packages to
+certify that packages are a valid and unaltered MongoDB release. Before
+you install MongoDB Shell, you can use the digital signature to validate
+the package.

source/install.txt

@@ -206,3 +206,8 @@ Once you successfully install :binary:`mongosh`, learn how to
 MongoDB provides a programmatically accessible list of ``mongosh``
 `downloads <https://downloads.mongodb.com/compass/mongosh.json>`__ that
 can be accessed through your application.
+
+.. toctree::
+   :titlesonly:
+
+   /install/verify-signatures

source/install/verify-signatures.txt

@@ -0,0 +1,36 @@
+.. _verify-signatures-mongosh:
+
+==========================================
+Verify Integrity of MongoDB Shell Packages
+==========================================
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+.. include:: /includes/verify-signatures-intro.rst
+
+To learn how to verify MongoDB Shell packages, see the corresponding
+page for your verification method:
+
+- :ref:`mongosh-verify-signatures-disk-image`
+
+- :ref:`mongosh-verify-signatures-gpg`
+
+- :ref:`mongosh-verify-signatures-rpm`
+
+- :ref:`mongosh-verify-signatures-windows`
+
+.. toctree::
+   :titlesonly:
+
+   /install/verify-signatures/disk-images
+   /install/verify-signatures/gpg
+   /install/verify-signatures/rpm
+   /install/verify-signatures/windows

source/install/verify-signatures/disk-images.txt

@@ -0,0 +1,43 @@
+.. _mongosh-verify-signatures-disk-image:
+
+====================================================
+Verify Packages with Disk Image Verification (macOS)
+====================================================
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+.. include:: /includes/verify-signatures-intro.rst
+
+This page describes how to verify ``.dmg`` packages on macOS.
+
+Before you Begin
+----------------
+
+.. include:: /includes/verify-signatures-before-you-begin.rst
+
+Steps
+-----
+
+To verify the MongoDB Shell package, run:
+
+.. code-block:: sh
+
+   codesign -dv --verbose=4 <path_to_mongosh_executable>
+
+If the package is signed by MongoDB, the output includes the following
+information:
+
+.. code-block:: sh
+   :copyable: false
+
+   Authority=Developer ID Application: MongoDB, Inc. (4XWMY46275)
+   Authority=Developer ID Certification Authority
+   Authority=Apple Root CA

source/install/verify-signatures/gpg.txt

@@ -0,0 +1,88 @@
+.. _mongosh-verify-signatures-gpg:
+
+==========================================
+Verify Packages with GPG (Linux and macOS)
+==========================================
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+.. include:: /includes/verify-signatures-intro.rst
+
+This page describes how to use GPG to verify Linux and macOS packages.
+
+Before you Begin
+----------------
+
+.. include:: /includes/verify-signatures-before-you-begin.rst
+
+Steps
+-----
+
+.. procedure::
+   :style: normal
+
+   .. step:: Import the MongoDB Shell public key
+
+      .. code-block:: sh
+
+         curl https://pgp.mongodb.com/mongosh.asc | gpg --import
+
+      .. include:: /includes/verification-gpg-results.rst
+
+   .. step:: Download the MongoDB Shell public signature
+
+      To download the MongoDB Shell public signature, go to the `mongosh
+      Releases <https://github.com/mongodb-js/mongosh/releases>`__ page
+      on GitHub and download the corresponding ``.sig`` file for your
+      version and variant.
+
+      For example, if you are running
+      ``mongodb-mongosh_{+version+}_amd64.deb``, download
+      ``mongodb-mongosh_{+version+}_amd64.deb.sig``
+
+      .. note:: 
+         
+         Make sure that you select the correct version in the GitHub
+         releases page when you download the signature.
+
+   .. step:: Verify the package
+
+      .. code-block:: sh
+
+         gpg --verify <path_to_signature_file> <path_to_mongosh_executable>
+
+      If the package is signed by MongoDB, the command returns:
+      
+      .. code-block:: sh
+         :copyable: false
+
+         gpg: Signature made Mon Jan 22 10:22:53 2024 CET
+         gpg:                using RSA key AB1B92FFBE0D3740425DAD16A8130EC3F9F5F923
+         gpg: Good signature from "Mongosh Release Signing Key <[email protected]>" [unknown]
+         
+      If the package is signed but the signing key is not added to your
+      local ``trustdb``, the command returns:
+
+      .. code-block:: sh
+         :copyable: false
+
+         gpg: WARNING: This key is not certified with a trusted signature!
+         gpg:          There is no indication that the signature belongs to the owner.
+         
+      If the package is not properly signed, the command returns an
+      error message:
+
+      .. code-block:: sh
+         :copyable: false
+
+         gpg: Signature made Mon Jan 22 10:22:53 2024 CET
+         gpg:                using RSA key AB1B92FFBE0D3740425DAD16A8130EC3F9F5F923
+         gpg: BAD signature from "Mongosh Release Signing Key <[email protected]>" [unknown]

source/install/verify-signatures/rpm.txt

@@ -0,0 +1,54 @@
+.. _mongosh-verify-signatures-rpm:
+
+==========================
+Verify RPM Packages (RHEL)
+==========================
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+.. include:: /includes/verify-signatures-intro.rst
+
+This page describes how to verify ``.rpm`` packages on RHEL operating
+systems.
+
+Before you Begin
+----------------
+
+.. include:: /includes/verify-signatures-before-you-begin.rst
+
+Steps
+-----
+
+.. procedure::
+   :style: normal
+
+   .. step:: Import the MongoDB Shell public key in gpg and rpm
+
+      .. code-block:: sh
+
+         curl https://pgp.mongodb.com/mongosh.asc | gpg --import
+         
+         rpm --import https://pgp.mongodb.com/mongosh.asc
+
+      .. include:: /includes/verification-gpg-results.rst
+
+   .. step:: Verify the rpm file
+
+      .. code-block:: sh
+
+         rpm --checksig <path_to_mongosh_rpm_file>
+
+      If the file is signed, the command returns:
+
+      .. code-block:: sh
+         :copyable: false
+
+         <path_to_mongosh_rpm_file> digests signatures OK

source/install/verify-signatures/windows.txt

@@ -0,0 +1,83 @@
+.. _mongosh-verify-signatures-windows:
+
+=======================
+Verify Windows Packages
+=======================
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 2
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+.. include:: /includes/verify-signatures-intro.rst
+
+This page describes how to verify Windows ``.exe`` and ``.msi``
+packages.
+
+Before you Begin
+----------------
+
+.. include:: /includes/verify-signatures-before-you-begin.rst
+
+Steps
+-----
+
+To verify the MongoDB Shell package on Windows, you can use one of these
+methods:
+
+- :ref:`mongosh-verify-signatures-windows-command-line`
+
+- :ref:`mongosh-verify-signatures-windows-check-properties`
+
+.. _mongosh-verify-signatures-windows-command-line:
+
+Verify Packages with PowerShell
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To verify Windows packages with PowerShell, run:
+
+.. code-block:: sh
+
+   powershell Get-AuthenticodeSignature -FilePath <path_to_mongosh_exe_or_msi>
+   
+If the package is signed, the command returns:
+
+.. code-block:: sh
+   :copyable: false
+
+   SignerCertificate     Status     Path                               
+   -----------------     ------     ----
+   F2D7C28591847B...     Valid      <path_to_mongosh_exe_or_msi>
+
+.. _mongosh-verify-signatures-windows-check-properties:
+
+Verify Packages by Checking Properties
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. procedure::
+   :style: normal
+
+   .. step:: Open the properties for your MongoDB Shell package
+
+   .. step:: Check the package's digital signatures
+
+      In the properties window, open the :guilabel:`Digital Signatures`
+      tab.
+
+      If the package is properly signed, the Digital Signatures show
+      these properties:
+
+      .. list-table::
+         :header-rows: 1
+      
+         * - Name of signer
+           - Digest algorithm
+           - Timestamp
+         * - MONGODB, INC.
+           - sha256
+           - <Timestamp>