From f00658ac6a7699b45cb6e4a8cccb7576aac2bd74 Mon Sep 17 00:00:00 2001
From: Preston Vasquez <prestonvasquez@icloud.com>
Date: Fri, 29 May 2026 09:48:11 -0600
Subject: [PATCH 1/4] GODRIVER-3884 Update libmongocrypt install to 1.18.2 with
 signed Windows tarball

  - Bump LIBMONGOCRYPT_TAG to 1.18.2
  - Add GPG signature verification on the Windows download path
  - Keep compile.sh-based install for Linux/macOS (the published Linux/macOS
    release variants are nocrypto and the Go driver does not provide crypto hooks)
---
 Taskfile.yml                 |  3 +-
 etc/install-libmongocrypt.sh | 59 ++++++++++++++++++++++--------------
 2 files changed, 39 insertions(+), 23 deletions(-)

diff --git a/Taskfile.yml b/Taskfile.yml
index 07aa8a0a57..a9d1cbc4ad 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -38,7 +38,8 @@ tasks:
       - gofumpt -w .
   api-report: bash etc/api_report.sh
   install-libmongocrypt:
-    cmds: [bash etc/install-libmongocrypt.sh]
+    cmds:
+      - bash etc/install-libmongocrypt.sh
     status:
       - test -d install || test -d /cygdrive/c/libmongocrypt/bin
   run-docker: bash etc/run_docker.sh
diff --git a/etc/install-libmongocrypt.sh b/etc/install-libmongocrypt.sh
index 9905cd62f1..b81e5dad1e 100755
--- a/etc/install-libmongocrypt.sh
+++ b/etc/install-libmongocrypt.sh
@@ -3,31 +3,46 @@
 # This script installs libmongocrypt into an "install" directory.
 set -eux
 
-LIBMONGOCRYPT_TAG="1.15.1"
+LIBMONGOCRYPT_TAG="1.18.2"
 
 # Install libmongocrypt based on OS.
 if [ "Windows_NT" = "${OS:-}" ]; then
-    mkdir -p c:/libmongocrypt/include
-    mkdir -p c:/libmongocrypt/bin
-    echo "fetching build for Windows ... begin"
-    mkdir libmongocrypt-all
-    cd libmongocrypt-all
-    # The following URL is published from the upload-all task in the libmongocrypt Evergreen project.
-    curl -L https://github.com/mongodb/libmongocrypt/releases/download/$LIBMONGOCRYPT_TAG/libmongocrypt-windows-x86_64-$LIBMONGOCRYPT_TAG.tar.gz -o libmongocrypt-all.tar.gz
-    tar -xf libmongocrypt-all.tar.gz
-    cd ..
-    cp libmongocrypt-all/bin/mongocrypt.dll c:/libmongocrypt/bin
-    cp libmongocrypt-all/include/mongocrypt/*.h c:/libmongocrypt/include
+  mkdir -p c:/libmongocrypt/include
+  mkdir -p c:/libmongocrypt/bin
+  echo "fetching build for Windows ... begin"
+  mkdir libmongocrypt-all
+  cd libmongocrypt-all
 
-    rm -rf libmongocrypt-all
-    echo "fetching build for Windows ... end"
+  # Download the prebuilt Windows tarball and its detached PGP signature.
+  base=https://github.com/mongodb/libmongocrypt/releases/download/$LIBMONGOCRYPT_TAG
+  curl -LO $base/libmongocrypt-windows-x86_64-$LIBMONGOCRYPT_TAG.tar.gz
+  curl -LO $base/libmongocrypt-windows-x86_64-$LIBMONGOCRYPT_TAG.asc
+
+  # Download the MongoDB libmongocrypt public key, import it into an
+  # isolated GNUPGHOME, and verify the tarball signature.
+  curl -LO https://pgp.mongodb.com/libmongocrypt.pub
+  GNUPGHOME=$(mktemp -d)
+  export GNUPGHOME
+  trap 'rm -rf "$GNUPGHOME"' EXIT
+  gpg --batch --import libmongocrypt.pub
+  gpg --batch --verify \
+    libmongocrypt-windows-x86_64-$LIBMONGOCRYPT_TAG.asc \
+    libmongocrypt-windows-x86_64-$LIBMONGOCRYPT_TAG.tar.gz
+
+  tar -xf libmongocrypt-windows-x86_64-$LIBMONGOCRYPT_TAG.tar.gz
+  cd ..
+  cp libmongocrypt-all/bin/mongocrypt.dll c:/libmongocrypt/bin
+  cp libmongocrypt-all/include/mongocrypt/*.h c:/libmongocrypt/include
+
+  rm -rf libmongocrypt-all
+  echo "fetching build for Windows ... end"
 else
-    rm -rf libmongocrypt
-    git clone https://github.com/mongodb/libmongocrypt --depth=1 --branch $LIBMONGOCRYPT_TAG 2> /dev/null
-    if ! ( ./libmongocrypt/.evergreen/compile.sh >| output.txt 2>&1 ); then
-        cat output.txt 1>&2
-        exit 1
-    fi
-    mv output.txt install
-    rm -rf libmongocrypt
+  rm -rf libmongocrypt
+  git clone https://github.com/mongodb/libmongocrypt --depth=1 --branch $LIBMONGOCRYPT_TAG 2>/dev/null
+  if ! (./libmongocrypt/.evergreen/compile.sh >|output.txt 2>&1); then
+    cat output.txt 1>&2
+    exit 1
+  fi
+  mv output.txt install
+  rm -rf libmongocrypt
 fi

From ad0542cd84d9006f6e02aea536235450faa65b8f Mon Sep 17 00:00:00 2001
From: Preston Vasquez <preston.vasquez@mongodb.com>
Date: Fri, 29 May 2026 15:03:51 -0600
Subject: [PATCH 2/4] test signing


From 87e1f58c011c8819a6367e87540d425f3bea0213 Mon Sep 17 00:00:00 2001
From: Preston Vasquez <preston.vasquez@mongodb.com>
Date: Fri, 29 May 2026 15:04:05 -0600
Subject: [PATCH 3/4] test signing


From 8e2ce2274b0498f066e77ec687139aff26badd56 Mon Sep 17 00:00:00 2001
From: Preston Vasquez <preston.vasquez@mongodb.com>
Date: Tue, 2 Jun 2026 10:29:52 -0600
Subject: [PATCH 4/4] Revert libmongocrypt version bump

---
 etc/install-libmongocrypt.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/install-libmongocrypt.sh b/etc/install-libmongocrypt.sh
index b81e5dad1e..b362219d94 100755
--- a/etc/install-libmongocrypt.sh
+++ b/etc/install-libmongocrypt.sh
@@ -3,7 +3,7 @@
 # This script installs libmongocrypt into an "install" directory.
 set -eux
 
-LIBMONGOCRYPT_TAG="1.18.2"
+LIBMONGOCRYPT_TAG="1.15.1"
 
 # Install libmongocrypt based on OS.
 if [ "Windows_NT" = "${OS:-}" ]; then