Loading...

XML

Word

Printable

JSON

Type: Task
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 8.3.0-rc0
Affects Version/s: None
Component/s: None
Labels:
None

Assigned Teams:

Query Integration
Backwards Compatibility:
Fully Compatible
Linked BF Score:
200
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

GPG requires that a key must first be inserted into the "key ring" before it is used (before signing or verification).

In this ticket we are inserting the production key (mongot-extension.pub found at pgp.mongodb.com) into the key ring before loading all extensions, and then removing it out of key ring after extensions are done being loaded.

Define a constant somewhere sensical in the server for the value of the mongot-extension public key. Use the gpgmepp library for the key ring operations.

As part of this ticket, we introduce the SignatureValidator class, and embed the mongot-extension public key into the mongod/s binaries. Note, this ticket does not perform actual signature verification yet.

depends on

SERVER-118842 Import rnpgp/rnp into the server

Open

SERVER-115287 Import gpgmepp lib into the server

In Code Review

SERVER-115281 Add extensions signature secure bazel flag and pre-processor maco

Closed

is depended on by

SERVER-115610 Add extensions test gpg key to ring in insecure mode

Open

SERVER-115289 Perform extensions signature verification

In Progress

Assignee:: Santiago Roche
Reporter:: Joe Shalabi
Participants:: Githook User, Joe Shalabi, Santiago Roche
Votes:: 0 Vote for this issue
Watchers:: 2 Start watching this issue

Created:: Dec 11 2025 05:01:02 AM UTC
Updated:: Feb 23 2026 09:37:00 AM UTC
Resolved:: Feb 18 2026 04:12:52 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates