(DOCSP-37760) Confirm signatures on MCLI packages (#893) (#894)

Author: sarahsimpers

source/install.txt

@@ -18,6 +18,8 @@ You can use the {+mcli-long+} to deploy and manage MongoDB clusters in
 |service|, |cloud-short|, and |onprem|. For operating system and MongoDB
 service version requirements, see :ref:`mcli-compatibility`. 
 
+To verify packages before installation, see :ref:`verify-packages`.
+
 Install the {+mcli+}
 ----------------------------
 
@@ -134,3 +136,8 @@ Next Steps
 - :ref:`Configure the {+mcli+} <mcli-configure>` for your environment.
 - :ref:`Enable autocomplete <mcli-autocomplete>` to see available
   commands and their syntax directly in your shell.
+
+.. toctree::
+   :titlesonly:
+
+   Verify Packages </verify-packages>

source/release-notes.txt

@@ -69,6 +69,9 @@ Release Notes for {+mcli-long+}
 
 - Updates the ``mongocli-atlas-clusters-create`` command when 
   you don't use the ``--watch`` flag.
+- :ref:`Signs the Linux binaries <verify-packages-linux>` with PGP.
+- :ref:`Signs the Windows binaries <verify-packages-windows>` with
+  garasign.
 
 .. _mcli_1.31.1:
 

source/verify-packages.txt

@@ -0,0 +1,195 @@
+.. _verify-packages:
+
+=========================================
+Verify the Integrity of {+mcli+} Packages
+=========================================
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+The {+mcli+} release team digitally signs all software packages and
+container images to certify that a particular package is valid and
+unaltered. Before you install the {+mcli+} packages for Linux or
+Windows you should validate the 
+package using the provided PGP signature or SHA-256 checksum
+information.
+
+.. _verify-packages-linux:
+
+Verify Linux Packages
+---------------------
+
+MongoDB signs each release branch with a different PGP key. The public 
+key files for the lastest {+mcli+} release is available for
+download from the `key server <https://pgp.mongodb.com/>`_. 
+
+The following procedure verifies the {+mcli+} package against its 
+PGP key.
+
+.. procedure::
+   :style: normal
+
+   .. step:: Download the {+mcli+} installation file.
+
+      Download the {+mcli+} binaries from the 
+      `MongoDB Download Center
+      <https://www.mongodb.com/try/download/mongocli>`__
+      based on your Linux environment. Click :guilabel:`Copy link` and
+      use the URL in the following instructions.
+
+      For example, to download the ``{+mcli-version+}`` release
+      for Linux through the shell, run the following command:
+
+      .. code-block::
+
+         curl -LO https://fastdl.mongodb.org/mongocli/mongocli_{+mcli-version+}_linux_x86_64.tar.gz
+
+   .. step:: Download the public signature file.
+
+      Run the following command to download the file:
+
+      .. code-block::
+
+         curl -LO https://fastdl.mongodb.org/mongocli/mongocli_{+mcli-version+}_linux_x86_64.tar.gz.sig
+
+   .. step:: Download and import the key file.
+
+      Run the following command to download and import the key file:
+
+      .. io-code-block::
+         :copyable: true
+
+         .. input::
+
+            curl -LO https://pgp.mongodb.com/mongodb-cli.asc
+            gpg --import mongodb-cli.asc
+            
+         .. output::
+
+            gpg: key <key-value-short>: public key "MongoDB CLI Release Signing Key <[email protected]>" imported
+            gpg: Total number processed: 1
+            gpg:               imported: 1
+
+   .. step:: Verify the {+mcli+} installation file.
+
+      Run the following command to verify the installation file:
+
+      .. io-code-block::
+         :copyable: true
+
+         .. input::
+
+            gpg --verify mongocli_{+mcli-version+}_linux_x86_64.tar.gz.sig mongocli_{+mcli-version+}_linux_x86_64.tar.gz
+            
+         .. output::
+
+            gpg: Signature made Thu Mar 14 08:25:00 2024 EDT
+            gpg:                using RSA key <key-value-long>
+            gpg: Good signature from "MongoDB CLI Release Signing Key <[email protected]>" [unknown]
+
+      If the package is properly signed, but you don't currently trust
+      the signing key, ``gpg`` also returns the following message :
+
+      .. code-block::
+
+         gpg: WARNING: This key is not certified with a trusted signature!
+         gpg:          There is no indication that the signature belongs to the owner.
+
+.. _verify-packages-windows:
+
+Verify Windows Packages
+-----------------------
+
+The following procedure verifies the {+mcli+} package against its 
+SHA-256 key.
+
+.. procedure::
+   :style: normal
+
+   .. step:: Download the {+mcli+} installation file.
+
+      Download the {+mcli+} ``.msi`` or ``.zip`` file from the 
+      `MongoDB Download Center
+      <https://www.mongodb.com/try/download/mongocli>`__ or 
+      `Github <https://github.com/mongodb/mongodb-atlas-cli/releases>`__.
+
+   .. step:: Save the public signature.
+
+      a. Download the ``checksums.txt`` file for the
+         release from `Github 
+         <https://github.com/mongodb/mongodb-atlas-cli/releases>`__,
+         which contains the SHA-256 key for each file. For example, for
+         version {+mcli-version+},
+         download the `{+mcli-version+} checksums.txt file
+         <https://github.com/mongodb/mongodb-atlas-cli/releases/download/mongocli%2Fv{+mcli-version+}/checksums.txt>`__.
+      #. Open the ``checksums.txt`` file and copy the text listed to
+         the left of the package you downloaded.
+         For example, if you downloaded ``mongocli_{+mcli-version+}_windows_x86_64.zip``, 
+         copy the text to the left of
+         ``mongocli_{+mcli-version+}_windows_x86_64.zip``.
+         This value is the SHA-256 key value.
+      #. Save the SHA-256 key value in a ``.txt`` file named ``mongocli-key``
+         in your Downloads folder.
+
+   .. step:: Compare the signature file to the {+mcli+} installer hash.
+
+      Run the Powershell command to verify the package based on the
+      file you downloaded. 
+      
+      If you downloaded 
+      ``mongocli_{+mcli-version+}_windows_x86_64.zip``,
+      run the following command:
+
+      .. io-code-block::
+         :copyable: true
+
+         .. input::
+
+            $sigHash = (Get-Content $Env:HomePath\Downloads\mongocli-key.txt | Out-String).SubString(0,64).ToUpper(); `
+            $fileHash = (Get-FileHash $Env:HomePath\Downloads\mongocli_{+mcli-version+}_windows_x86_64.zip).Hash.Trim(); `
+            echo $sigHash; echo $fileHash; `
+            $sigHash -eq $fileHash
+
+         .. output::
+
+            <key-value-from-signature-file>
+            <key-value-from-downloaded-package>
+            True
+
+      If you downloaded 
+      ``mongocli_{+mcli-version+}_windows_x86_64.msi``,
+      run the following command:
+
+      .. io-code-block::
+         :copyable: true
+
+         .. input::
+
+            $sigHash = (Get-Content $Env:HomePath\Downloads\mongocli-key.txt | Out-String).SubString(0,64).ToUpper(); `
+            $fileHash = (Get-FileHash $Env:HomePath\Downloads\mongocli_{+mcli-version+}_windows_x86_64.msi).Hash.Trim(); `
+            echo $sigHash; echo $fileHash; `
+            $sigHash -eq $fileHash
+
+         .. output::
+
+            <key-value-from-signature-file>
+            <key-value-from-downloaded-package>
+            True
+            
+      The command returns the key value from the signature file, the
+      key value from the downloaded package, and ``True`` if the two
+      values match.
+
+      If the two values match, the {+mcli+} binary is verified.
+
+
+