[SERVER-22144] It seems somebody is tampering with the MongoDB 3.2 Debian repository Created: 12/Jan/16  Updated: 12/Jan/16  Resolved: 12/Jan/16

Status: Closed
Project: Core Server
Component/s: Packaging
Affects Version/s: 3.2.0
Fix Version/s: None

Type: Bug Priority: Critical - P2
Reporter: Ronald Feicht Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by SERVER-22143 GPG error - BADSIG D68FA50FEA312927 Closed
Operating System: ALL
Steps To Reproduce:

apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv EA312927
echo 'deb http://repo.mongodb.org/apt/debian wheezy/mongodb-org/3.2 main' > /etc/apt/sources.list.d/mongodb-org.list
apt-get update

Participants:

 Description   

The 3.2 binaries in the Debian repository do not match the key specified in the installation guide.
Might be a malicious attack.



 Comments   
Comment by Stennie Steneker (Inactive) [ 12/Jan/16 ]

Hi Ronald,

Thanks for reporting this issue. This problem has already been reported as SERVER-22143, so please watch that issue for updates.

Regards,
Stephen

Comment by Ronald Feicht [ 12/Jan/16 ]

Forgot to mention the error message:
W: GPG error: http://repo.mongodb.org wheezy/mongodb-org/3.2 Release: The following signatures were invalid: BADSIG
D68FA50FEA312927 MongoDB 3.2 Release Signing Key <packaging@mongodb.com>

Generated at Thu Feb 08 03:59:31 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.