JAVA-6187 Upgrade libcrypt version to 1.18.1

[strogiyotec]

JAVA-6187
Upgrading libcrypt version to 1.18.1
Also the artifact location got changed from s3 to github

Risks

This PR assumes there is gpg installed that might not be a case in Windows

Resolution of risks

There is a new flag -PskipCryptVerify=true that will skip gpg verification

Warnings (not applicable, I passed --quite as suggested by Ross)

If you run ./gradlew :mongodb-crypt:downloadJnaLib locally it will give a few warnings

> Task :mongodb-crypt:downloadJava UP-TO-DATE
Download https://github.com/mongodb/libmongocrypt/releases/download/1.18.1/libmongocrypt-linux-x86_64-glibc_2_7-nocrypto-1.18.1.asc
Download https://github.com/mongodb/libmongocrypt/releases/download/1.18.1/libmongocrypt-linux-s390x-glibc_2_7-nocrypto-1.18.1.asc
Download https://github.com/mongodb/libmongocrypt/releases/download/1.18.1/libmongocrypt-linux-x86_64-glibc_2_7-nocrypto-1.18.1.tar.gz
Download https://github.com/mongodb/libmongocrypt/releases/download/1.18.1/libmongocrypt-linux-s390x-glibc_2_7-nocrypto-1.18.1.tar.gz
Download https://github.com/mongodb/libmongocrypt/releases/download/1.18.1/libmongocrypt-linux-ppc64le-glibc_2_17-nocrypto-1.18.1.tar.gz
Download https://github.com/mongodb/libmongocrypt/releases/download/1.18.1/libmongocrypt-linux-ppc64le-glibc_2_17-nocrypto-1.18.1.asc
Download https://github.com/mongodb/libmongocrypt/releases/download/1.18.1/libmongocrypt-linux-arm64-glibc_2_17-nocrypto-1.18.1.tar.gz
Download https://github.com/mongodb/libmongocrypt/releases/download/1.18.1/libmongocrypt-linux-arm64-glibc_2_17-nocrypto-1.18.1.asc
Download https://github.com/mongodb/libmongocrypt/releases/download/1.18.1/libmongocrypt-windows-x86_64-1.18.1.tar.gz
Download https://github.com/mongodb/libmongocrypt/releases/download/1.18.1/libmongocrypt-windows-x86_64-1.18.1.asc
Download https://github.com/mongodb/libmongocrypt/releases/download/1.18.1/libmongocrypt-macos-universal-1.18.1.tar.gz
Download https://github.com/mongodb/libmongocrypt/releases/download/1.18.1/libmongocrypt-macos-universal-1.18.1.asc
Download https://pgp.mongodb.com/libmongocrypt.pub

> Task :mongodb-crypt:verifyJava
gpg: keybox '/home/almas/repos/mongo-java-driver/mongodb-crypt/build/jnaLibs/gnupg/pubring.kbx' created
gpg: /home/almas/repos/mongo-java-driver/mongodb-crypt/build/jnaLibs/gnupg/trustdb.gpg: trustdb created
gpg: key 81F1404DEBACA586: public key "Libmongocrypt Release Signing Key <packaging@mongodb.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Signature made Fri May  8 05:08:55 2026 PDT
gpg:                using RSA key F2F5BF4ABF517E039AFCADAA81F1404DEBACA586
gpg: Good signature from "Libmongocrypt Release Signing Key <packaging@mongodb.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

The reason is because gpg doesn't know if the key is trusted as we arbitrary downloaded it

Running the same command using shell will give the same output

[Copilot]

Pull request overview

Updates the mongodb-crypt module’s bundled libmongocrypt native library download process to use libmongocrypt’s 1.18.1 GitHub release assets (instead of S3) and adds GPG signature verification of the downloaded tarballs.

Changes:

• Bump libmongocrypt download revision to 1.18.1 and switch download base URL to GitHub releases.
• Download per-platform tarballs (+ .asc signatures) and extract only the needed native library into the JNA resources directory.
• Add a Gradle task that verifies tarball signatures via gpg, with an opt-out via -PskipCryptVerify=true.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

[strogiyotec]

let's skip it for now, as we know that we are downloading from a trusted source

[rozza]

Suggested change

	execOps.exec {
	commandLine("gpg", "--homedir", home.path, "--batch", "--verify", signature.path, tarball.path)
	execOps.exec {
	commandLine("gpg", "--homedir", home.path, "--batch", "--trust-model", "always", "--quiet", "--verify", signature.path, tarball.path)
	}

Will reduce the noise from gpg

[strogiyotec]

thanks, addressed it here

[rozza]

Suggested change

	execOps.exec { commandLine("gpg", "--homedir", home.path, "--batch", "--import", publicKey.get().asFile.path) }
	execOps.exec { commandLine("gpg", "--homedir", home.path, "--batch", "--quiet", "--import", publicKey.get().asFile.path) }

Added the quiet flag to reduce noise

[strogiyotec]

thanks, addressed it here

[rozza]

Like this. Couple of optional suggestions.

You may want to change the task names downloadJava no longer makes sense as it used to be the java tarball. For example: downloadCryptLibs, verifyCryptLibs and extractCryptLibs make more sense now than downloadJava, verifyJava and unzipJava.

One gripe from the existing implementation, you might want to make downloading optional eg:

 overwrite(false)
  onlyIf { !file("$jnaDownloadsDir/${platform.tarballName}.tar.gz").exists() }

That way it would work without having to check if modified and offline. Also we can bypass this all if jnaLibsPath is set.