Loading...

XML

Word

Printable

JSON

Type: Spec Change
Resolution: Unresolved
Priority: Unknown
Fix Version/s: None
Component/s: Client Side Encryption
Labels:
None

Driver Changes:
Needed
Downstream Changes Summary:
Hide

libmongocrypt 1.18.0 adds signed tarballs to the GitHub release. Previously tarballs were only available on S3 URLs. These tarballs are smaller (only library and headers), include signatures, and have self-descriptive names.

Which drivers package libmongocrypt? notes C#, Java, Node, and Python have scripts referring to libmongocrypt binaries. Other drivers may not need any changes.

Summary of necessary driver changes

Update release scripts to use libmongocrypt tarballs attached to GitHub releases.

Verify signature of downloaded libmongocrypt tarballs.

Example:

set -o errexit # Download libmongocrypt tarball: curl -LO https://github.com/mongodb/libmongocrypt/releases/download/1.18.0/libmongocrypt-windows-x86_64-1.18.0.tar.gz curl -LO https://github.com/mongodb/libmongocrypt/releases/download/1.18.0/libmongocrypt-windows-x86_64-1.18.0.asc # Download the public key, import it, and verify the signature curl -LO https://pgp.mongodb.com/libmongocrypt.pub gpg --import libmongocrypt.pub gpg --verify libmongocrypt-windows-x86_64-1.18.0.asc libmongocrypt-windows-x86_64-1.18.0.tar.gz

Remove documented references to direct libmongocrypt S3 links.

Refer users to the mongodb.com install steps to download packages. If needed, refer users to the GitHub release page (https://github.com/mongodb/libmongocrypt/releases) to download pre-built binaries.

Notes
The following maps from the previous previous build variant names to the new tarball names:

macos => macos-universal

alpine-arm64-earthly => linux-arm64-musl_1_2-nocrypto

windows-test => windows-x86_64

ubuntu1604-arm64 => linux-arm64-glibc_2_17-nocrypto

ubuntu1804-arm64 => linux-arm64-glibc_2_17-nocrypto

ubuntu1804-64 => linux-x86_64-glibc_2_7-nocrypto

rhel-62-64-bit => linux-x86_64-glibc_2_7-nocrypto

rhel72-zseries-test => linux-s390x-glibc_2_7-nocrypto

rhel-71-ppc64el => linux-ppc64le-glibc_2_17-nocrypto

rhel-70-64-bit => linux-x86_64-glibc_2_7-nocrypto

rhel82-arm64-small => linux-arm64-glibc_2_17-nocrypto

Changelog

2026-05-18: Recommend upgrading to 1.18.1 or higher to include the fix for DRIVERS-3470.

2026-05-11: musl (Alpine) arm64 builds added in 1.18.2.
Show
libmongocrypt 1.18.0 adds signed tarballs to the GitHub release. Previously tarballs were only available on S3 URLs. These tarballs are smaller (only library and headers), include signatures, and have self-descriptive names. Which drivers package libmongocrypt? notes C#, Java, Node, and Python have scripts referring to libmongocrypt binaries. Other drivers may not need any changes. Summary of necessary driver changes Update release scripts to use libmongocrypt tarballs attached to GitHub releases. Verify signature of downloaded libmongocrypt tarballs. Example: set -o errexit # Download libmongocrypt tarball: curl -LO https://github.com/mongodb/libmongocrypt/releases/download/1.18.0/libmongocrypt-windows-x86_64-1.18.0.tar.gz curl -LO https://github.com/mongodb/libmongocrypt/releases/download/1.18.0/libmongocrypt-windows-x86_64-1.18.0.asc # Download the public key, import it, and verify the signature curl -LO https://pgp.mongodb.com/libmongocrypt.pub gpg --import libmongocrypt.pub gpg --verify libmongocrypt-windows-x86_64-1.18.0.asc libmongocrypt-windows-x86_64-1.18.0.tar.gz Remove documented references to direct libmongocrypt S3 links. Refer users to the mongodb.com install steps to download packages. If needed, refer users to the GitHub release page ( https://github.com/mongodb/libmongocrypt/releases ) to download pre-built binaries. Notes The following maps from the previous previous build variant names to the new tarball names: macos => macos-universal alpine-arm64-earthly => linux-arm64-musl_1_2-nocrypto windows-test => windows-x86_64 ubuntu1604-arm64 => linux-arm64-glibc_2_17-nocrypto ubuntu1804-arm64 => linux-arm64-glibc_2_17-nocrypto ubuntu1804-64 => linux-x86_64-glibc_2_7-nocrypto rhel-62-64-bit => linux-x86_64-glibc_2_7-nocrypto rhel72-zseries-test => linux-s390x-glibc_2_7-nocrypto rhel-71-ppc64el => linux-ppc64le-glibc_2_17-nocrypto rhel-70-64-bit => linux-x86_64-glibc_2_7-nocrypto rhel82-arm64-small => linux-arm64-glibc_2_17-nocrypto Changelog 2026-05-18: Recommend upgrading to 1.18.1 or higher to include the fix for DRIVERS-3470 . 2026-05-11: musl (Alpine) arm64 builds added in 1.18.2.

Driver Compliance:

$i18n.getText("admin.common.words.hide")

Key	Status/Resolution	FixVersion
CDRIVER-6311	Works as Designed
CXX-3484	Works as Designed
CSHARP-6023	Ready for Work	3.9.0
GODRIVER-3884	Backlog
JAVA-6187	In Progress
NODE-7569	Backlog
PYTHON-5816	In Code Review	pymongocrypt-1.18.0
PHPLIB-1842	Works as Designed
RUBY-3829	Backlog
RUST-2417	Works as Designed

$i18n.getText("admin.common.words.show")

#scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } #scriptField td.willNotDo { background-color: #FF0000; /* Red color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-6311 Works as Designed CXX-3484 Works as Designed CSHARP-6023 Ready for Work 3.9.0 GODRIVER-3884 Backlog JAVA-6187 In Progress NODE-7569 Backlog PYTHON-5816 In Code Review pymongocrypt-1.18.0 PHPLIB-1842 Works as Designed RUBY-3829 Backlog RUST-2417 Works as Designed

Summary

Update packaging scripts and documentation to refer to new libmongocrypt binary locations.

Motivation

~~MONGOCRYPT-841~~ changes download URLs for libmongocrypt 1.18.0+ to more restrictive S3 buckets. At a minimum, driver packaging libmongocrypt would need to update release scripts to refer to the new URLs.

~~MONGOCRYPT-841~~ also adds signed tarballs to the GitHub release page of libmongocrypt. These tarballs are smaller (only include the library file and headers), include per-tarball signatures, and have a self-descriptive naming scheme.

The survey Which drivers package libmongocrypt? notes C#, Java, Node, and Python have scripts referring to libmongocrypt binaries.

pymongocrypt documentation links to the unsigned libmongocrypt-all.tar.gz. This can now instead refer to the GitHub releases page: https://github.com/mongodb/libmongocrypt/releases.

Who is the affected end user?

DBX devs.

How does this affect the end user?

Unable to update packaged libmongocrypt to 1.18.0+.

How likely is it that this problem or use case will occur?

Certain.

If the problem does occur, what are the consequences and how severe are they?

Will prevent obtaining features of libmongocrypt 1.18.0 (currently QE keyAltName support).

Is this issue urgent?

Somewhat. Will be needed to upgrade to libmongocrypt 1.18.0+. So this will be a prerequisite for later work (e.g. QE Text: DRIVERS-3408).

Is this ticket required by a downstream team?

No.

Is this ticket only for tests?

No.

Acceptance Criteria

Update release scripts to use libmongocrypt tarballs attached to GitHub releases.

Verify signature of downloaded libmongocrypt tarballs.

Example:

set -o errexit

# Download libmongocrypt tarball:
curl -LO https://github.com/mongodb/libmongocrypt/releases/download/1.18.0/libmongocrypt-windows-x86_64-1.18.0.tar.gz
curl -LO https://github.com/mongodb/libmongocrypt/releases/download/1.18.0/libmongocrypt-windows-x86_64-1.18.0.asc

# Download the public key, import it, and verify the signature
curl -LO https://pgp.mongodb.com/libmongocrypt.pub
gpg --import libmongocrypt.pub
gpg --verify libmongocrypt-windows-x86_64-1.18.0.asc libmongocrypt-windows-x86_64-1.18.0.tar.gz

Remove documented references to direct libmongocrypt S3 links.
- Refer users to the mongodb.com install steps to download packages. If needed, refer users to the GitHub release page (https://github.com/mongodb/libmongocrypt/releases/latest) to download pre-built binaries.

depends on

MONGOCRYPT-858 Release 1.18.0

Closed

is depended on by

MONGOCRYPT-894 Remove redundant upload tasks

Blocked

is related to

MONGOCRYPT-841 Release signed binaries

Closed

related to

MONGOCRYPT-688 Drop RHEL 6.2

Backlog

split to

GODRIVER-3884 Update libmongocrypt URLs for 1.18.0+

Backlog

NODE-7569 Update libmongocrypt URLs for 1.18.0+

Backlog

RUBY-3829 Update libmongocrypt URLs for 1.18.0+

Backlog

PYTHON-5816 Update libmongocrypt URLs for 1.18.0+

In Code Review

CSHARP-6023 Update libmongocrypt URLs for 1.18.0+

Ready for Work

JAVA-6187 Update libmongocrypt URLs for 1.18.0+

In Progress

CDRIVER-6311 Update libmongocrypt URLs for 1.18.0+

Closed

CXX-3484 Update libmongocrypt URLs for 1.18.0+

Closed

PHPLIB-1842 Update libmongocrypt URLs for 1.18.0+

Closed

RUST-2417 Update libmongocrypt URLs for 1.18.0+

Closed

(9 split to)

Assignee:: Unassigned
Reporter:: Kevin Albertson
Engineering Lead:: Kevin Albertson
Votes:: 0 Vote for this issue
Watchers:: 1 Start watching this issue

Created:: Apr 10 2026 11:55:56 AM UTC
Updated:: May 22 2026 08:30:26 PM UTC
Start date:: 01/May/26

Details

Description

Summary

Motivation

Who is the affected end user?

How does this affect the end user?

How likely is it that this problem or use case will occur?

If the problem does occur, what are the consequences and how severe are they?

Is this issue urgent?

Is this ticket required by a downstream team?

Is this ticket only for tests?

Acceptance Criteria

Attachments

Issue Links

Activity

People

Dates