#205 closed defect (wontfix)
nginx-1.2.3.tar.gz signed with wrong key
| Reported by: | Chris Riddoch | Owned by: | somebody |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-package | Version: | 1.2.x |
| Keywords: | gpg signature | Cc: | |
| uname -a: | |||
| nginx -V: |
nginx version: nginx/1.2.3
built by gcc 4.6.2 (SUSE Linux) |
||
Description
The website shows that the following GPG key can be expected to be used for signing packages:
pub 2048R/7BD9BF62 2011-08-19 [expires: 2016-08-17]
uid nginx signing key <signing-key@…>
The actual signature is this:
gpg: Signature made Tue 07 Aug 2012 06:37:14 AM MDT using RSA key ID A1C052F8
gpg: Good signature from "Maxim Dounin <mdounin@…>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8
I presume it's trustworthy anyway. ;) Still, should be simple to fix.
Note:
See TracTickets
for help on using tickets.
It's Linux packages that are signed by the key you mentioned.
The source tarballs can be signed by any of the keys listed here:
http://www.nginx.org/en/pgp_keys.html