验证 MongoDB for VSCode 插件
MongoDB 发布团队通过数字签名VS Code 扩展发布,以证明插件是有效的且未被篡改的 MongoDB 发布。您可以使用数字签名来验证插件,并确保它是可信的安装。
开始之前
如果没有安装VS Code 扩展,请从VS Code 扩展下载GitHub 发布页面 或 Visual Studio Code 扩展市场下载。
步骤
1
下载VS Code 扩展签名文件
访问MongoDB VS Code 发布页面并下载适合您版本的.sig 文件VS Code 扩展.
2
导入VS Code 扩展公钥
curl https://pgp.mongodb.com/mongodb-vscode.asc | gpg --import
如果公钥导入成功,命令会返回
gpg: key A8130EC3F9F5F923: public key "MongoDB VS Code Signing Key <vscode@mongodb.com>" imported gpg: Total number processed: 1 gpg: imported: 1
如果您之前已经导入过该公钥,命令会返回
gpg: key A8130EC3F9F5F923: public key "MongoDB VS Code Signing Key <vscode@mongodb.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1
3
验证插件
gpg --verify <path_to_signature_file> <path_to_plugin_vsix_file>
如果插件由 MongoDB 签名,命令会返回
gpg: Signature made Mon Jan 8 19:30:04 2024 CET gpg: using RSA key A505CECC78EC9A688A4811505D55DCA8B92B7040 gpg: Good signature from "MongoDB VS Code Signing Key <vscode@mongodb.com>" [unknown]
如果软件包已签名,但签名密钥未添加到您的本地 trustdb,命令会返回
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
如果软件包未正确签名,命令会返回错误信息
gpg: Signature made Mon Jan 22 10:22:53 2024 CET gpg: using RSA key AB1B92FFBE0D3740425DAD16A8130EC3F9F5F923 gpg: BAD signature from "MongoDB VS Code Signing Key <vscode@mongodb.com>" [unknown]