-
Type: Task
-
Resolution: Unresolved
-
Priority: Unknown
-
None
-
Component/s: Security
-
None
-
Needed - No Spec Changes
-
Release artifacts published to officially supported channels MUST be signed with a MongoDB-owned or managed key.
Drivers that only create git tags for releases (e.g. Python, PHPLIB) MUST sign release tags with a MongoDB-owned or managed key.
Projects already signing releases (e.g. PGP keys via Evergreen secrets) satisfy this goal, but projects that have yet to implement signing SHOULD integrate Garasign.
Drivers SHOULD integrate release signing with automated releases.
Drivers MUST provide documentation for users to verify release artifacts if they wish (e.g. using tools to check binaries using published signature files).
- split to
-
MOTOR-1304 Sign release artifacts or tags with MongoDB-managed keys
- Backlog
-
CDRIVER-5537 Sign release artifacts or tags with MongoDB-managed keys
- Closed
-
CSHARP-5050 Sign release artifacts or tags with MongoDB-managed keys
- Closed
-
CXX-3010 Sign release artifacts or tags with MongoDB-managed keys
- Closed
-
GODRIVER-3189 Sign release artifacts or tags with MongoDB-managed keys
- Closed
-
JAVA-5432 Sign release artifacts or tags with MongoDB-managed keys
- Closed
-
MONGOCRYPT-681 Sign release artifacts or tags with MongoDB-managed keys
- Closed
-
NODE-6115 Sign release artifacts or tags with MongoDB-managed keys
- Closed
-
PHPLIB-1436 Sign release artifacts or tags with MongoDB-managed keys
- Closed
-
PYTHON-4385 Sign release artifacts or tags with MongoDB-managed keys
- Closed
-
RUBY-3451 Sign release artifacts or tags with MongoDB-managed keys
- Closed
-
RUST-1921 Sign release artifacts or tags with MongoDB-managed keys
- Closed