If you use NGINX Plus, NGINX Amplify, or the prebuilt NGINX Open Source binaries from nginx.org, you might need to update the GPG key for your NGINX software now.
The keys for some NGINX software – specifics are explained below – will expire on Wednesday, August 17th, and you won’t be able to verify your software signatures until you’ve updated your key. This announcement does not affect you if you obtain NGINX Open Source from providers other than NGINX, Inc. – for example, in operating system distributions.
A GPG key is part of Gnu Privacy Guard, or GnuPG. GnuPG is a free implementation of the OpenPGP standard – widely known as PGP. GPG keys are used to verify that the packages in a repo were authored by the owner of the key.
Who Needs to Update the Key?
NGINX, Inc. uses GPG keys on its RPM packages and Debian/Ubuntu repositories so that you can verify the integrity and origin of the downloaded package. Many users of GPG keys set their keys to expire periodically, and the GPG key for NGINX, Inc. expires this coming August 17th. So you need to update your GPG key if you:
- Use NGINX Plus
- Use NGINX Amplify
- Use NGINX Open Source binaries provided by NGINX, Inc.
You do not need to update your GPG key if you use NGINX Open Source that is:
- From an operating system package. Most operating systems include NGINX in their repositories.
- Compiled by you from source. You can verify the source package signature directly using the
gpg--verifycommand.
Updating the GPG Key
To switch to the updated key, simply refetch and reimport the key. The process differs by operating system.
Updating the Key on Debian/Ubuntu
If you have misconfigured keys, you will see one of the following errors when you run apt-get update:
To update your key, download the new GPG key and overwrite the old one:
To verify the expiration date on the new key, run apt-key list:
Updating the Key on Amazon Linux, CentOS, Oracle Linux, RHEL, and SLES
Check if your repository is configured to check and validate GPG keys. By default, the check is disabled for NGINX and NGINX Plus repositories, but enabled for NGINX Amplify repositories. The check is disabled if your yum repository files in /etc/yum.repos.d include the following line:
Here’s a sample repository file, /etc/yum.repos.d/nginx.repo, with the check disabled:
In this case, no action is needed. (Note that with the check disabled, you see a warning when you install new packages, but the installation still succeeds.)
If you have explicitly configured the GPG check, you need to replace the key.
You can check the authenticity of locally downloaded packages by running the rpm -K command:
- If the key is missing, you see this error:
- If the key is correctly configured, you see this message:
Perform the following steps to update the GPG key:
- Check if you currently have the NGINX GPG key installed:If the key is installed, the output includes the release number and build date: If it is not installed, this message appears:
- Remove the current NGINX GPG key:
- Download and install the new key:(There is no confirming output on these platforms.)
- Check the release and build date information for new GPG key:
Updating the Key on FreeBSD
The FreeBSD package management system does not use a GPG key, so no action is necessary.
Verifying the Authenticity of a GPG Key
You can additionally verify the authenticity of the downloaded GPG key. GPG uses the “Web of trust” concept: a key can be signed with someone else’s key, which in turn is signed by another key, and so on.
This approach often makes it possible to build a chain between an arbitrary key and the key of someone you know and trust personally, thus verifying the authenticity of the first key in the chain. This concept is described in detail in the GPG Mini Howto. Keys from NGINX, Inc. have enough signatures that their authenticity is relatively easy to check.
Getting Support
To get support while updating your GPG key:
- NGINX Plus customers – Please contact our support team
- NGINX Open Source users – Get support from other NGINX community members
- NGINX Amplify – Sign in to NGINX Amplify and click the ? icon in the lower right corner of the screen
About the Author
Related Blog Posts
Secure Your API Gateway with NGINX App Protect WAF
As monoliths move to microservices, applications are developed faster than ever. Speed is necessary to stay competitive and APIs sit at the front of these rapid modernization efforts. But the popularity of APIs for application modernization has significant implications for app security.
How Do I Choose? API Gateway vs. Ingress Controller vs. Service Mesh
When you need an API gateway in Kubernetes, how do you choose among API gateway vs. Ingress controller vs. service mesh? We guide you through the decision, with sample scenarios for north-south and east-west API traffic, plus use cases where an API gateway is the right tool.
Deploying NGINX as an API Gateway, Part 2: Protecting Backend Services
In the second post in our API gateway series, Liam shows you how to batten down the hatches on your API services. You can use rate limiting, access restrictions, request size limits, and request body validation to frustrate illegitimate or overly burdensome requests.
New Joomla Exploit CVE-2015-8562
Read about the new zero day exploit in Joomla and see the NGINX configuration for how to apply a fix in NGINX or NGINX Plus.
Why Do I See “Welcome to nginx!” on My Favorite Website?
The ‘Welcome to NGINX!’ page is presented when NGINX web server software is installed on a computer but has not finished configuring