Hi, I am new to Nginx and to PGP/GPG. I am learning how to compile Nginx Open Source from source on Ubuntu server, and want to verify the source tarball file with the PGP signature provided.
The first step is to download the latest version of Nginx Open Source and its PGP signature.
I went to the Nginx downloads page https://nginx.org/en/download.html to find the URLs of the source tarball and PGP signature for the latest stable version. I downloaded them using the wget command as follows:
$ wget https://nginx.org/download/nginx-1.12.2.tar.gz
$ wget https://nginx.org/download/nginx-1.12.2.tar.gz.asc
I started following this tutorial on how to verify tarball PGP signatures: https://www.cyberciti.biz/faq/pgp-tarball-file-signature-keys-verification/
Next, I attempted to verify the signature of the tarball by using the gpg command:
$ gpg nginx-1.12.2.tar.gz.asc
The command gives this output:
gpg: Signature made Tue 21 Apr 2015 02:14:01 PM UTC using RSA key ID A1C052F8
gpg: Can't check signature: public key not found
The check fails because I do not have the public key of the signer.
I did a web search for 'nginx pgp keys' and found this page: https://nginx.org/en/pgp_keys.html where I found "nginx public key (used for signing packages and repositories)".
I downloaded this public key using wget, and then imported it:
$ gpg --import nginx_signing.key
However, when I attempted to verify the tarball signature again, I got the same error as before.
Finally, I found a tutorial (https://www.linode.com/docs/web-servers/nginx/installing-nginx-on-ubuntu-12-04-lts-precise-pangolin/) which happened to show the same RSA key ID A1C052F8. The tutorial also showed the successful output:
gpg: Good signature from "Maxim Dounin <mdounin@mdounin.ru>"
...
which is how I was able to determine that I needed Maxim Dounin’s PGP public key from the Nginx PGP keys page.
I downloaded and imported this signature, and now the verification check shows the "Good signature..." message, followed by a warning that there is no indication the signature belongs to the owner. To proceed from here, I would have to enter the web of trust as explained in the "How Do I Build Trust?" section at the end of the nixCraft tutorial linked above.
The problem I have with all this is that I was extremely lucky to find the linode tutorial showing the PGP public key I needed, and otherwise I would not have known which of the Nginx PGP public keys to import.
Am I missing something? Is there a better way to do this? How would I have known which public key to import?
Thank you,
noob13
The first step is to download the latest version of Nginx Open Source and its PGP signature.
I went to the Nginx downloads page https://nginx.org/en/download.html to find the URLs of the source tarball and PGP signature for the latest stable version. I downloaded them using the wget command as follows:
$ wget https://nginx.org/download/nginx-1.12.2.tar.gz
$ wget https://nginx.org/download/nginx-1.12.2.tar.gz.asc
I started following this tutorial on how to verify tarball PGP signatures: https://www.cyberciti.biz/faq/pgp-tarball-file-signature-keys-verification/
Next, I attempted to verify the signature of the tarball by using the gpg command:
$ gpg nginx-1.12.2.tar.gz.asc
The command gives this output:
gpg: Signature made Tue 21 Apr 2015 02:14:01 PM UTC using RSA key ID A1C052F8
gpg: Can't check signature: public key not found
The check fails because I do not have the public key of the signer.
I did a web search for 'nginx pgp keys' and found this page: https://nginx.org/en/pgp_keys.html where I found "nginx public key (used for signing packages and repositories)".
I downloaded this public key using wget, and then imported it:
$ gpg --import nginx_signing.key
However, when I attempted to verify the tarball signature again, I got the same error as before.
Finally, I found a tutorial (https://www.linode.com/docs/web-servers/nginx/installing-nginx-on-ubuntu-12-04-lts-precise-pangolin/) which happened to show the same RSA key ID A1C052F8. The tutorial also showed the successful output:
gpg: Good signature from "Maxim Dounin <mdounin@mdounin.ru>"
...
which is how I was able to determine that I needed Maxim Dounin’s PGP public key from the Nginx PGP keys page.
I downloaded and imported this signature, and now the verification check shows the "Good signature..." message, followed by a warning that there is no indication the signature belongs to the owner. To proceed from here, I would have to enter the web of trust as explained in the "How Do I Build Trust?" section at the end of the nixCraft tutorial linked above.
The problem I have with all this is that I was extremely lucky to find the linode tutorial showing the PGP public key I needed, and otherwise I would not have known which of the Nginx PGP public keys to import.
Am I missing something? Is there a better way to do this? How would I have known which public key to import?
Thank you,
noob13