Hi noob13,
Sorry nobody has answered your question. I realise this is a necropost and I'm going to get some heat for it, but I thought it worthwhile addressing, even if only on the off chance you get this reply.
You're right, you need to implicitly trust that the keys from https://nginx.org/en/pgp_keys.html are indeed authentic and belonging to those they claim to belong to. There is no way around this unless you received the exact same key from the person you know to actually be that person.
With that said... the point is less to verify that the key belongs to any of the nginx maintainers (we simply don't know that beyond any reasonable doubt), but to verify that whatever source or binary you're working with, wherever you got it from, hasn't been modified in some way.
You are essentially saying "I trust that the nginx maintainers provide source/software that I can safely use on my intended system" and are using the signatures and their keys to verify that whatever you're about to compile or run is actually something they've provided. Whether or not it is actually them in the background is generally irrelevant - the moment of trust was when you said that you trust their software.
And generally speaking, the most reliable source for any group's software is their website.
Let me give you a concrete example - say a colleague provided you the tarball, or you've downloaded it from a mirror or corporate caching server. By going to the nginx website and grabbing the keys and relevant signatures, you can check that your friend or whoever runs the mirror/cache you got the tarball from hasn't modified the package. It doesn't have a keylogger embedded in it, for example.
Now, if the group itself was compromised, that's a whole new world of hurt. And is beyond the scope of the PGP signature/key paradigm (at least with self signed keys - to try and mitigate that you would need to bring in 3rd party signing authorities who investigate "Yep, we checked their ID, these people are legit and we've therefore signed these keys to say they're from them."). Think of it along the lines of website SSL certificates - there are degrees of trust.
In terms of which key you needed - well, just grab them all. If none of them matched, you would know that something was off - either someone new was involved and their keyfile hadn't been provided yet (in which case you would wait), or something else has gone wrong.
Sorry nobody has answered your question. I realise this is a necropost and I'm going to get some heat for it, but I thought it worthwhile addressing, even if only on the off chance you get this reply.
You're right, you need to implicitly trust that the keys from https://nginx.org/en/pgp_keys.html are indeed authentic and belonging to those they claim to belong to. There is no way around this unless you received the exact same key from the person you know to actually be that person.
With that said... the point is less to verify that the key belongs to any of the nginx maintainers (we simply don't know that beyond any reasonable doubt), but to verify that whatever source or binary you're working with, wherever you got it from, hasn't been modified in some way.
You are essentially saying "I trust that the nginx maintainers provide source/software that I can safely use on my intended system" and are using the signatures and their keys to verify that whatever you're about to compile or run is actually something they've provided. Whether or not it is actually them in the background is generally irrelevant - the moment of trust was when you said that you trust their software.
And generally speaking, the most reliable source for any group's software is their website.
Let me give you a concrete example - say a colleague provided you the tarball, or you've downloaded it from a mirror or corporate caching server. By going to the nginx website and grabbing the keys and relevant signatures, you can check that your friend or whoever runs the mirror/cache you got the tarball from hasn't modified the package. It doesn't have a keylogger embedded in it, for example.
Now, if the group itself was compromised, that's a whole new world of hurt. And is beyond the scope of the PGP signature/key paradigm (at least with self signed keys - to try and mitigate that you would need to bring in 3rd party signing authorities who investigate "Yep, we checked their ID, these people are legit and we've therefore signed these keys to say they're from them."). Think of it along the lines of website SSL certificates - there are degrees of trust.
In terms of which key you needed - well, just grab them all. If none of them matched, you would know that something was off - either someone new was involved and their keyfile hadn't been provided yet (in which case you would wait), or something else has gone wrong.