(DOCSP-34659): Add signature verification instructions for Docker (#5471)

jeff-allen-mongo · web-flow · commit 5741a0e2c549 · 2023-12-01T19:52:02.000-05:00
* (DOCSP-34659): Add signature verification instructions for Docker * wording * address review feedback and add instructions for enterprise * fix replacements * formatting * remove replacement * wording
diff --git a/source/includes/installation/docker/verify-signature-intro.rst b/source/includes/installation/docker/verify-signature-intro.rst
@@ -0,0 +1,7 @@
+You can use `Cosign <https://github.com/sigstore/cosign>`__ to verify
+MongoDB's signature for container images. 
+
+This procedure is optional. You do not need to verify MongoDB's
+signature to run MongoDB on Docker or any other containerized platform.
+
+To verify MongoDB's container signature, perform the following steps:
diff --git a/source/tutorial/install-mongodb-community-with-docker.txt b/source/tutorial/install-mongodb-community-with-docker.txt
@@ -153,4 +153,30 @@ Procedure
             readOnly: false,
             ok: 1
          }
-         
+         
+Next Steps (Optional)
+---------------------
+
+.. include:: /includes/installation/docker/verify-signature-intro.rst
+
+.. procedure::
+   :style: normal
+
+   .. step:: Download and install Cosign
+
+      For installation instructions, see the `Cosign GitHub repository
+      <https://github.com/sigstore/cosign>`__.
+
+   .. step:: Download the MongoDB Server container image's public key
+
+      .. code-block:: sh
+
+         curl https://cosign.mongodb.com/server.pem > server.pem
+
+   .. step:: Verify the signature
+
+      Run the following command to verify the signature by tag: 
+      
+      .. code-block:: sh
+
+         COSIGN_REPOSITORY=docker.io/mongodb/signatures cosign verify --insecure-ignore-tlog --key=./server.pem docker.io/mongodb/mongodb-community-server:latest
diff --git a/source/tutorial/install-mongodb-enterprise-with-docker.txt b/source/tutorial/install-mongodb-enterprise-with-docker.txt
@@ -168,6 +168,33 @@ Steps
             readOnly: false,
             ok: 1
          }
+
+Next Steps (Optional)
+---------------------
+
+.. include:: /includes/installation/docker/verify-signature-intro.rst
+
+.. procedure::
+   :style: normal
+
+   .. step:: Download and install Cosign
+
+      For installation instructions, see the `Cosign GitHub repository
+      <https://github.com/sigstore/cosign>`__.
+
+   .. step:: Download the MongoDB Server container image's public key
+
+      .. code-block:: sh
+
+         curl https://cosign.mongodb.com/server.pem > server.pem
+
+   .. step:: Verify the signature
+
+      Run the following command to verify the signature by tag: 
+      
+      .. code-block:: sh
+
+         COSIGN_REPOSITORY=docker.io/mongodb/signatures cosign verify --insecure-ignore-tlog --key=./server.pem docker.io/mongodb/mongodb-enterprise-server:latest
        
 Learn More
 ----------
