(DOCSP-38231): Verify vsce plugin (#87)

Author: jeff-allen-mongo

snooty.toml

@@ -6,6 +6,7 @@ intersphinx = ["https://www.mongodb.com/docs/manual/objects.inv",
               ]
 
 toc_landing_pages = [
+    "/install",
     "/playgrounds",
     "/crud-ops",
     "/playground-databases",

source/install.txt

@@ -28,3 +28,8 @@ Once you install |vsce|, you can :ref:`view data in your deployment
 with your data <vsce-playgrounds>`.
 
 To configure |vsce| settings, see :ref:`vsce-settings`. 
+
+.. toctree::
+   :titlesonly:
+
+   /install/verify-plugin

source/install/verify-plugin.txt

@@ -0,0 +1,97 @@
+.. _vsce-verify-plugin:
+
+================================
+Verify MongoDB for VSCode Plugin
+================================
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: tutorial
+
+The MongoDB release team digitally signs |vsce| releases to certify that
+the plugin is a valid and unaltered MongoDB release. You can use the
+digital signature to validate the plugin and ensure that it is a trusted
+installation.
+
+Before you Begin
+----------------
+
+If you don't have |vsce| installed, download the |vsce| plugin from the
+`GitHub Releases page <https://github.com/mongodb-js/vscode/releases>`__
+or the Visual Studio Code extension marketplace.
+
+Steps
+-----
+
+.. procedure::
+   :style: normal
+
+   .. step:: Download the |vsce| signature file
+
+      Go to the `MongoDB VS Code Releases page
+      <https://github.com/mongodb-js/vscode/releases>`__ and download
+      the ``.sig`` file for your version of |vsce|.
+
+   .. step:: Import the |vsce| public key
+
+      .. code-block:: sh
+
+         curl https://pgp.mongodb.com/mongodb-vscode.asc | gpg --import
+
+      If the key imports successfully, the command returns:
+
+      .. code-block:: sh
+         :copyable: false
+
+         gpg: key A8130EC3F9F5F923: public key "MongoDB VS Code Signing Key <[email protected]>" imported
+         gpg: Total number processed: 1
+         gpg:               imported: 1
+
+      If you have previously imported the key, the command returns:
+
+      .. code-block:: sh
+         :copyable: false
+
+         gpg: key A8130EC3F9F5F923: public key "MongoDB VS Code Signing Key <[email protected]>" not changed
+         gpg: Total number processed: 1
+         gpg:              unchanged: 1
+   
+   .. step:: Verify the plugin
+
+      .. code-block:: sh
+
+         gpg --verify <path_to_signature_file> <path_to_plugin_vsix_file>
+         
+      If the plugin is signed by MongoDB, the command returns:
+      
+      .. code-block:: sh
+         :copyable: false
+
+         gpg: Signature made Mon Jan  8 19:30:04 2024 CET
+         gpg:                using RSA key A505CECC78EC9A688A4811505D55DCA8B92B7040
+         gpg: Good signature from "MongoDB VS Code Signing Key <[email protected]>" [unknown]
+         
+      If the package is signed but the signing key is not added to your
+      local ``trustdb``, the command returns:
+
+      .. code-block:: sh
+         :copyable: false
+
+         gpg: WARNING: This key is not certified with a trusted signature!
+         gpg:          There is no indication that the signature belongs to the owner.
+         
+      If the package is not signed properly, the command returns an
+      error message:
+
+      .. code-block:: sh
+         :copyable: false
+
+         gpg: Signature made Mon Jan 22 10:22:53 2024 CET
+         gpg:                using RSA key AB1B92FFBE0D3740425DAD16A8130EC3F9F5F923
+         gpg: BAD signature from "MongoDB VS Code Signing Key <[email protected]>" [unknown]