If you use NGINX Plus, NGINX Amplify, or the prebuilt NGINX Open Source binaries from nginx.org, you might need to update the GPG key for your NGINX software now.
The keys for some NGINX software – specifics are explained below – will expire on Wednesday, August 17th, and you won’t be able to verify your software signatures until you’ve updated your key. This announcement does not affect you if you obtain NGINX Open Source from providers other than NGINX, Inc. – for example, in operating system distributions.
A GPG key is part of Gnu Privacy Guard, or GnuPG. GnuPG is a free implementation of the OpenPGP standard – widely known as PGP. GPG keys are used to verify that the packages in a repo were authored by the owner of the key.
NGINX, Inc. uses GPG keys on its RPM packages and Debian/Ubuntu repositories so that you can verify the integrity and origin of the downloaded package. Many users of GPG keys set their keys to expire periodically, and the GPG key for NGINX, Inc. expires this coming August 17th. So you need to update your GPG key if you:
You do not need to update your GPG key if you use NGINX Open Source that is:
gpg
--verify
command.To switch to the updated key, simply refetch and reimport the key. The process differs by operating system.
If you have misconfigured keys, you will see one of the following errors when you run apt-get
update
:
nginx/x86_64/signature | 2.9 kB 00:00:10 !!!http://nginx.org/packages/mainline/centos/7/x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for nginx
nginx/x86_64/signature | 2.9 kB 00:00:00 !!!http://nginx.org/packages/mainline/centos/7/x86_64/repodata/repomd.xml: [Errno -1] Gpg Keys not imported, cannot verify repomd.xml for repo nginx
To update your key, download the new GPG key and overwrite the old one:
# curl -O https://nginx.org/keys/nginx_signing.key && apt-key add ./nginx_signing.key
To verify the expiration date on the new key, run apt-key
list
:
# apt-key list
...
pub 2048R/7BD9BF62 2011-08-19 [expires: 2024-06-14]
uid nginx signing key <signing-key@nginx.com>
...
Check if your repository is configured to check and validate GPG keys. By default, the check is disabled for NGINX and NGINX Plus repositories, but enabled for NGINX Amplify repositories. The check is disabled if your yum repository files in /etc/yum.repos.d include the following line:
gpgcheck=0
Here’s a sample repository file, /etc/yum.repos.d/nginx.repo, with the check disabled:
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/
gpgcheck=0
enabled=1
In this case, no action is needed. (Note that with the check disabled, you see a warning when you install new packages, but the installation still succeeds.)
If you have explicitly configured the GPG check, you need to replace the key.
You can check the authenticity of locally downloaded packages by running the rpm
-K
command:
If the key is missing, you see this error:
# rpm -K nginx-1.11.3-1.el7.ngx.x86_64.rpmnginx-1.11.3-1.el7.ngx.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#7bd9bf62)
If the key is correctly configured, you see this message:
# rpm -K nginx-1.11.3-1.el7.ngx.x86_64.rpmnginx-1.11.3-1.el7.ngx.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
Perform the following steps to update the GPG key:
Check if you currently have the NGINX GPG key installed:
# rpm -qi gpg-pubkey-7bd9bf62-*
If the key is installed, the output includes the release number and build date:
...
Release : 5762b5f8
...
Build Date : Fri 19 Aug 2011 05:52:34 AM EDT
...
If it is not installed, this message appears:
package gpg-pubkey-7bd9bf62-* is not installed
Remove the current NGINX GPG key:
# rpm -e --allmatches gpg-pubkey-7bd9bf62-*
Download and install the new key:
# curl -O https://nginx.org/keys/nginx_signing.key# rpm --import ./nginx_signing.key
(There is no confirming output on these platforms.)
Check the release and build date information for new GPG key:
# rpm -qi gpg-pubkey-7bd9bf62-*...
Release : 4e4e3262
...
Build Date : Thu 16 Jun 2016 10:21:44 AM EDT
The FreeBSD package management system does not use a GPG key, so no action is necessary.
You can additionally verify the authenticity of the downloaded GPG key. GPG uses the “Web of trust” concept: a key can be signed with someone else’s key, which in turn is signed by another key, and so on.
This approach often makes it possible to build a chain between an arbitrary key and the key of someone you know and trust personally, thus verifying the authenticity of the first key in the chain. This concept is described in detail in the GPG Mini Howto. Keys from NGINX, Inc. have enough signatures that their authenticity is relatively easy to check.
To get support while updating your GPG key:
"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous NGINX.com links will redirect to similar NGINX content on F5.com."