CSHARP-6023: Update libmongocrypt URLs for 1.18.0+#2011
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the driver’s bundled libmongocrypt native binaries to version 1.18.2, changes the download source from S3 to GitHub Releases, and adds GPG signature verification during the build-time download/extract step.
Changes:
- Bump libmongocrypt from 1.15.2 → 1.18.2 and switch download URLs to GitHub release assets.
- Update native-binary download/extract MSBuild targets to use per-platform tarball names and add GPG verification on Linux/macOS.
- Update
purls.txtto reflect the new libmongocrypt version.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/MongoDB.Driver.Encryption/MongoDB.Driver.Encryption.csproj |
Updates libmongocrypt version + download source; adds signature verification steps in the MSBuild download pipeline. |
purls.txt |
Updates SBOM purl version for libmongocrypt to 1.18.2. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <DownloadFile SourceUrl="https://pgp.mongodb.com/libmongocrypt.pub" DestinationFolder="$(LibMongoCryptTmpPath)"/> | ||
| <Exec Command="gpg --batch --import $(LibMongoCryptTmpPath)/libmongocrypt.pub" Condition="!$([MSBuild]::IsOSPlatform('Windows'))" /> | ||
| <Exec Command="gpg --batch --verify $(LibMongoCryptTmpPath)/$(LibMongoCryptAscFile) $(LibMongoCryptTmpPath)/$(LibMongoCryptTarball)" Condition="!$([MSBuild]::IsOSPlatform('Windows'))" /> |
There was a problem hiding this comment.
I investigated this but hit a hard limit: GPG derives its agent socket path from the homedir, and Unix sockets have a ~108-character path limit. Our libmongocryptTmpPath is long enough that the full socket path exceeds the limit, causing GPG to exit with code 2. The key being imported is the official public MongoDB signing key — importing it into the default keyring is idempotent and benign so I think we can afford to not do this.
adelinowona
added
the
maintenance
adelinowona
changed the title
Download libmongocrypt binaries from GitHub releases instead of S3, and verify tarball signatures with GPG on non-Windows platforms.
sanych-sun
left a comment
sanych-sun
left a comment
There was a problem hiding this comment.
Please investigate test-csfle-with-azure-kms variant failure as well as failures on the latest/rapid variants, because I cannot see the same failure on the main branch (before the libmongocrypt bump).
BorisDog
left a comment
BorisDog
left a comment
There was a problem hiding this comment.
Changes LGTM.
Did you verify that the build fails when verification fails?
With libmongocrypt 1.17.0+, mixing CSFLE and QE in a $lookup no longer errors client-side. The server now rejects it with a different message.
Summary
mciuploads.s3.amazonaws.com) to GitHub releases (github.com/mongodb/libmongocrypt/releases)gpgis not guaranteed to be available)purls.txtandsbom.jsonto reflect the new version