Welcome! Log In Create A New Profile

Advanced

How to Verifiy Nginx Source Tarball with GPG on Ubuntu Server

Posted by noob13 
How to Verifiy Nginx Source Tarball with GPG on Ubuntu Server
March 19, 2018 08:48AM
Hi, I am new to Nginx and to PGP/GPG. I am learning how to compile Nginx Open Source from source on Ubuntu server, and want to verify the source tarball file with the PGP signature provided.

The first step is to download the latest version of Nginx Open Source and its PGP signature.

I went to the Nginx downloads page https://nginx.org/en/download.html to find the URLs of the source tarball and PGP signature for the latest stable version. I downloaded them using the wget command as follows:

$ wget https://nginx.org/download/nginx-1.12.2.tar.gz

$ wget https://nginx.org/download/nginx-1.12.2.tar.gz.asc

I started following this tutorial on how to verify tarball PGP signatures: https://www.cyberciti.biz/faq/pgp-tarball-file-signature-keys-verification/

Next, I attempted to verify the signature of the tarball by using the gpg command:

$ gpg nginx-1.12.2.tar.gz.asc

The command gives this output:

gpg: Signature made Tue 21 Apr 2015 02:14:01 PM UTC using RSA key ID A1C052F8
gpg: Can't check signature: public key not found

The check fails because I do not have the public key of the signer.
I did a web search for 'nginx pgp keys' and found this page: https://nginx.org/en/pgp_keys.html where I found "nginx public key (used for signing packages and repositories)".
I downloaded this public key using wget, and then imported it:

$ gpg --import nginx_signing.key

However, when I attempted to verify the tarball signature again, I got the same error as before.

Finally, I found a tutorial (https://www.linode.com/docs/web-servers/nginx/installing-nginx-on-ubuntu-12-04-lts-precise-pangolin/) which happened to show the same RSA key ID A1C052F8. The tutorial also showed the successful output:

gpg: Good signature from "Maxim Dounin <mdounin@mdounin.ru>"
...

which is how I was able to determine that I needed Maxim Dounin’s PGP public key from the Nginx PGP keys page.

I downloaded and imported this signature, and now the verification check shows the "Good signature..." message, followed by a warning that there is no indication the signature belongs to the owner. To proceed from here, I would have to enter the web of trust as explained in the "How Do I Build Trust?" section at the end of the nixCraft tutorial linked above.

The problem I have with all this is that I was extremely lucky to find the linode tutorial showing the PGP public key I needed, and otherwise I would not have known which of the Nginx PGP public keys to import.

Am I missing something? Is there a better way to do this? How would I have known which public key to import?

Thank you,

noob13



Edited 2 time(s). Last edit at 03/19/2018 08:49AM by noob13.
Re: How to Verifiy Nginx Source Tarball with GPG on Ubuntu Server
March 27, 2019 03:12AM
Hi noob13,

Sorry nobody has answered your question. I realise this is a necropost and I'm going to get some heat for it, but I thought it worthwhile addressing, even if only on the off chance you get this reply.

You're right, you need to implicitly trust that the keys from https://nginx.org/en/pgp_keys.html are indeed authentic and belonging to those they claim to belong to. There is no way around this unless you received the exact same key from the person you know to actually be that person.

With that said... the point is less to verify that the key belongs to any of the nginx maintainers (we simply don't know that beyond any reasonable doubt), but to verify that whatever source or binary you're working with, wherever you got it from, hasn't been modified in some way.

You are essentially saying "I trust that the nginx maintainers provide source/software that I can safely use on my intended system" and are using the signatures and their keys to verify that whatever you're about to compile or run is actually something they've provided. Whether or not it is actually them in the background is generally irrelevant - the moment of trust was when you said that you trust their software.

And generally speaking, the most reliable source for any group's software is their website.

Let me give you a concrete example - say a colleague provided you the tarball, or you've downloaded it from a mirror or corporate caching server. By going to the nginx website and grabbing the keys and relevant signatures, you can check that your friend or whoever runs the mirror/cache you got the tarball from hasn't modified the package. It doesn't have a keylogger embedded in it, for example.

Now, if the group itself was compromised, that's a whole new world of hurt. And is beyond the scope of the PGP signature/key paradigm (at least with self signed keys - to try and mitigate that you would need to bring in 3rd party signing authorities who investigate "Yep, we checked their ID, these people are legit and we've therefore signed these keys to say they're from them."). Think of it along the lines of website SSL certificates - there are degrees of trust.

In terms of which key you needed - well, just grab them all. If none of them matched, you would know that something was off - either someone new was involved and their keyfile hadn't been provided yet (in which case you would wait), or something else has gone wrong.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 83
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready