Updating the GPG Key for NGINX Products

If you use NGINX Plus, NGINX Amplify, or the prebuilt open source NGINX binaries from nginx.org, you might need to update the GPG key for your NGINX software now.

The keys for some NGINX software – specifics are explained below – will expire on Wednesday, August 17th, and you won’t be able to verify your software signatures until you’ve updated your key. This announcement does not affect you if you obtain open source NGINX from providers other than NGINX, Inc. – for example, in operating system distributions.

A GPG key is part of Gnu Privacy Guard, or GnuPG. GnuPG is a free implementation of the OpenPGP standard – widely known as PGP. GPG keys are used to verify that the packages in a repo were authored by the owner of the key.

Who Needs to Update the Key?

NGINX, Inc. uses GPG keys on its RPM packages and Debian/Ubuntu repositories so that you can verify the integrity and origin of the downloaded package. Many users of GPG keys set their keys to expire periodically, and the GPG key for NGINX, Inc. expires this coming August 17th. So you need to update your GPG key if you:

  • Use NGINX Plus
  • Use NGINX Amplify
  • Use open source NGINX binaries provided by NGINX, Inc.

You do not need to update your GPG key if you use open source NGINX that is:

  • From an operating system package. Most operating systems include NGINX in their repositories.
  • Compiled by you from source. You can verify the source package signature directly using the gpg --verify command.

Updating the GPG Key

To switch to the updated key, simply refetch and reimport the key. The process differs by operating system.

Updating the Key on Debian/Ubuntu

If you have misconfigured keys, you will see one of the following errors when you run apt-get update:

nginx/x86_64/signature                                                   | 2.9 kB  00:00:10 !!!
http://nginx.org/packages/mainline/centos/7/x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for nginx
nginx/x86_64/signature                                                   | 2.9 kB  00:00:00 !!!
http://nginx.org/packages/mainline/centos/7/x86_64/repodata/repomd.xml: [Errno -1] Gpg Keys not imported, cannot verify repomd.xml for repo nginx

To update your key, download the new GPG key and overwrite the old one:

# curl -O https://nginx.org/keys/nginx_signing.key && apt-key add ./nginx_signing.key

To verify the expiration date on the new key, run apt-key list:

# apt-key list
...
pub 2048R/7BD9BF62 2011-08-19 [expires: 2024-06-14]
uid nginx signing key <signing-key@nginx.com>
...

Updating the Key on Amazon Linux, CentOS, Oracle Linux, RHEL, and SLES

Check if your repository is configured to check and validate GPG keys. By default, the check is disabled for NGINX and NGINX Plus repositories, but enabled for NGINX Amplify repositories. The check is disabled if your yum repository files in /etc/yum.repos.d include the following line:

gpgcheck=0

Here’s a sample repository file, /etc/yum.repos.d/nginx.repo, with the check disabled:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/
gpgcheck=0
enabled=1

In this case, no action is needed. (Note that with the check disabled, you see a warning when you install new packages, but the installation still succeeds.)

If you have explicitly configured the GPG check, you need to replace the key.

You can check the authenticity of locally downloaded packages by running the rpm -K command:

  • If the key is missing, you see this error:

    # rpm -K nginx-1.11.3-1.el7.ngx.x86_64.rpm
    nginx-1.11.3-1.el7.ngx.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#7bd9bf62)
  • If the key is correctly configured, you see this message:

  • # rpm -K nginx-1.11.3-1.el7.ngx.x86_64.rpm
    nginx-1.11.3-1.el7.ngx.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

Perform the following steps to update the GPG key:

  1. Check if you currently have the NGINX GPG key installed:

    # rpm -qi gpg-pubkey-7bd9bf62-*

    If the key is installed, the output includes the release number and build date:

    ...
    Release : 5762b5f8
    ...
    Build Date : Fri 19 Aug 2011 05:52:34 AM EDT
    ...

    If it is not installed, this message appears:

    package gpg-pubkey-7bd9bf62-* is not installed
  2. Remove the current NGINX GPG key:

    # rpm -e --allmatches gpg-pubkey-7bd9bf62-*
  3. Download and install the new key:

    # curl -O https://nginx.org/keys/nginx_signing.key
    # rpm --import ./nginx_signing.key

    (There is no confirming output on these platforms.)

  4. Check the release and build date information for new GPG key:

    # rpm -qi gpg-pubkey-7bd9bf62-*
    ...
    Release : 4e4e3262
    ...
    Build Date : Thu 16 Jun 2016 10:21:44 AM EDT

Updating the Key on FreeBSD

The FreeBSD package management system does not use a GPG key, so no action is necessary.

Verifying the Authenticity of a GPG Key

You can additionally verify the authenticity of the downloaded GPG key. GPG uses the “Web of trust” concept: a key can be signed with someone else’s key, which in turn is signed by another key, and so on.

This approach often makes it possible to build a chain between an arbitrary key and the key of someone you know and trust personally, thus verifying the authenticity of the first key in the chain. This concept is described in detail in the GPG Mini Howto. Keys from NGINX, Inc. have enough signatures that their authenticity is relatively easy to check.

Getting Support

To get support while updating your GPG key:

Cover image
Are your applications secure?
Learn how to protect your apps with NGINX and NGINX Plus