How to Verifiy Nginx Source Tarball with GPG on Ubuntu Server
Posted by noob13
|
How to Verifiy Nginx Source Tarball with GPG on Ubuntu Server March 19, 2018 08:48AM |
Registered: 6 years ago Posts: 1 |
Hi, I am new to Nginx and to PGP/GPG. I am learning how to compile Nginx Open Source from source on Ubuntu server, and want to verify the source tarball file with the PGP signature provided.
The first step is to download the latest version of Nginx Open Source and its PGP signature.
I went to the Nginx downloads page https://nginx.org/en/download.html to find the URLs of the source tarball and PGP signature for the latest stable version. I downloaded them using the wget command as follows:
$ wget https://nginx.org/download/nginx-1.12.2.tar.gz
$ wget https://nginx.org/download/nginx-1.12.2.tar.gz.asc
I started following this tutorial on how to verify tarball PGP signatures: https://www.cyberciti.biz/faq/pgp-tarball-file-signature-keys-verification/
Next, I attempted to verify the signature of the tarball by using the gpg command:
$ gpg nginx-1.12.2.tar.gz.asc
The command gives this output:
gpg: Signature made Tue 21 Apr 2015 02:14:01 PM UTC using RSA key ID A1C052F8
gpg: Can't check signature: public key not found
The check fails because I do not have the public key of the signer.
I did a web search for 'nginx pgp keys' and found this page: https://nginx.org/en/pgp_keys.html where I found "nginx public key (used for signing packages and repositories)".
I downloaded this public key using wget, and then imported it:
$ gpg --import nginx_signing.key
However, when I attempted to verify the tarball signature again, I got the same error as before.
Finally, I found a tutorial (https://www.linode.com/docs/web-servers/nginx/installing-nginx-on-ubuntu-12-04-lts-precise-pangolin/) which happened to show the same RSA key ID A1C052F8. The tutorial also showed the successful output:
gpg: Good signature from "Maxim Dounin <mdounin@mdounin.ru>"
...
which is how I was able to determine that I needed Maxim Dounin’s PGP public key from the Nginx PGP keys page.
I downloaded and imported this signature, and now the verification check shows the "Good signature..." message, followed by a warning that there is no indication the signature belongs to the owner. To proceed from here, I would have to enter the web of trust as explained in the "How Do I Build Trust?" section at the end of the nixCraft tutorial linked above.
The problem I have with all this is that I was extremely lucky to find the linode tutorial showing the PGP public key I needed, and otherwise I would not have known which of the Nginx PGP public keys to import.
Am I missing something? Is there a better way to do this? How would I have known which public key to import?
Thank you,
noob13
Edited 2 time(s). Last edit at 03/19/2018 08:49AM by noob13.
The first step is to download the latest version of Nginx Open Source and its PGP signature.
I went to the Nginx downloads page https://nginx.org/en/download.html to find the URLs of the source tarball and PGP signature for the latest stable version. I downloaded them using the wget command as follows:
$ wget https://nginx.org/download/nginx-1.12.2.tar.gz
$ wget https://nginx.org/download/nginx-1.12.2.tar.gz.asc
I started following this tutorial on how to verify tarball PGP signatures: https://www.cyberciti.biz/faq/pgp-tarball-file-signature-keys-verification/
Next, I attempted to verify the signature of the tarball by using the gpg command:
$ gpg nginx-1.12.2.tar.gz.asc
The command gives this output:
gpg: Signature made Tue 21 Apr 2015 02:14:01 PM UTC using RSA key ID A1C052F8
gpg: Can't check signature: public key not found
The check fails because I do not have the public key of the signer.
I did a web search for 'nginx pgp keys' and found this page: https://nginx.org/en/pgp_keys.html where I found "nginx public key (used for signing packages and repositories)".
I downloaded this public key using wget, and then imported it:
$ gpg --import nginx_signing.key
However, when I attempted to verify the tarball signature again, I got the same error as before.
Finally, I found a tutorial (https://www.linode.com/docs/web-servers/nginx/installing-nginx-on-ubuntu-12-04-lts-precise-pangolin/) which happened to show the same RSA key ID A1C052F8. The tutorial also showed the successful output:
gpg: Good signature from "Maxim Dounin <mdounin@mdounin.ru>"
...
which is how I was able to determine that I needed Maxim Dounin’s PGP public key from the Nginx PGP keys page.
I downloaded and imported this signature, and now the verification check shows the "Good signature..." message, followed by a warning that there is no indication the signature belongs to the owner. To proceed from here, I would have to enter the web of trust as explained in the "How Do I Build Trust?" section at the end of the nixCraft tutorial linked above.
The problem I have with all this is that I was extremely lucky to find the linode tutorial showing the PGP public key I needed, and otherwise I would not have known which of the Nginx PGP public keys to import.
Am I missing something? Is there a better way to do this? How would I have known which public key to import?
Thank you,
noob13
Edited 2 time(s). Last edit at 03/19/2018 08:49AM by noob13.
|
Re: How to Verifiy Nginx Source Tarball with GPG on Ubuntu Server March 27, 2019 03:12AM |
Registered: 5 years ago Posts: 1 |
Hi noob13,
Sorry nobody has answered your question. I realise this is a necropost and I'm going to get some heat for it, but I thought it worthwhile addressing, even if only on the off chance you get this reply.
You're right, you need to implicitly trust that the keys from https://nginx.org/en/pgp_keys.html are indeed authentic and belonging to those they claim to belong to. There is no way around this unless you received the exact same key from the person you know to actually be that person.
With that said... the point is less to verify that the key belongs to any of the nginx maintainers (we simply don't know that beyond any reasonable doubt), but to verify that whatever source or binary you're working with, wherever you got it from, hasn't been modified in some way.
You are essentially saying "I trust that the nginx maintainers provide source/software that I can safely use on my intended system" and are using the signatures and their keys to verify that whatever you're about to compile or run is actually something they've provided. Whether or not it is actually them in the background is generally irrelevant - the moment of trust was when you said that you trust their software.
And generally speaking, the most reliable source for any group's software is their website.
Let me give you a concrete example - say a colleague provided you the tarball, or you've downloaded it from a mirror or corporate caching server. By going to the nginx website and grabbing the keys and relevant signatures, you can check that your friend or whoever runs the mirror/cache you got the tarball from hasn't modified the package. It doesn't have a keylogger embedded in it, for example.
Now, if the group itself was compromised, that's a whole new world of hurt. And is beyond the scope of the PGP signature/key paradigm (at least with self signed keys - to try and mitigate that you would need to bring in 3rd party signing authorities who investigate "Yep, we checked their ID, these people are legit and we've therefore signed these keys to say they're from them."). Think of it along the lines of website SSL certificates - there are degrees of trust.
In terms of which key you needed - well, just grab them all. If none of them matched, you would know that something was off - either someone new was involved and their keyfile hadn't been provided yet (in which case you would wait), or something else has gone wrong.
Sorry nobody has answered your question. I realise this is a necropost and I'm going to get some heat for it, but I thought it worthwhile addressing, even if only on the off chance you get this reply.
You're right, you need to implicitly trust that the keys from https://nginx.org/en/pgp_keys.html are indeed authentic and belonging to those they claim to belong to. There is no way around this unless you received the exact same key from the person you know to actually be that person.
With that said... the point is less to verify that the key belongs to any of the nginx maintainers (we simply don't know that beyond any reasonable doubt), but to verify that whatever source or binary you're working with, wherever you got it from, hasn't been modified in some way.
You are essentially saying "I trust that the nginx maintainers provide source/software that I can safely use on my intended system" and are using the signatures and their keys to verify that whatever you're about to compile or run is actually something they've provided. Whether or not it is actually them in the background is generally irrelevant - the moment of trust was when you said that you trust their software.
And generally speaking, the most reliable source for any group's software is their website.
Let me give you a concrete example - say a colleague provided you the tarball, or you've downloaded it from a mirror or corporate caching server. By going to the nginx website and grabbing the keys and relevant signatures, you can check that your friend or whoever runs the mirror/cache you got the tarball from hasn't modified the package. It doesn't have a keylogger embedded in it, for example.
Now, if the group itself was compromised, that's a whole new world of hurt. And is beyond the scope of the PGP signature/key paradigm (at least with self signed keys - to try and mitigate that you would need to bring in 3rd party signing authorities who investigate "Yep, we checked their ID, these people are legit and we've therefore signed these keys to say they're from them."). Think of it along the lines of website SSL certificates - there are degrees of trust.
In terms of which key you needed - well, just grab them all. If none of them matched, you would know that something was off - either someone new was involved and their keyfile hadn't been provided yet (in which case you would wait), or something else has gone wrong.
Sorry, only registered users may post in this forum.
Online Users
Guests:
215
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|