Opened 12 years ago

Closed 12 years ago

Last modified 3 years ago

#205 closed defect (wontfix)

nginx-1.2.3.tar.gz signed with wrong key

Reported by: Chris Riddoch Owned by: somebody
Priority: major Milestone:
Component: nginx-package Version: 1.2.x
Keywords: gpg signature Cc:
uname -a:
nginx -V: nginx version: nginx/1.2.3
built by gcc 4.6.2 (SUSE Linux)

Description

The website shows that the following GPG key can be expected to be used for signing packages:

pub 2048R/7BD9BF62 2011-08-19 [expires: 2016-08-17]
uid nginx signing key <signing-key@…>

The actual signature is this:

gpg: Signature made Tue 07 Aug 2012 06:37:14 AM MDT using RSA key ID A1C052F8
gpg: Good signature from "Maxim Dounin <mdounin@…>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8

I presume it's trustworthy anyway. ;) Still, should be simple to fix.

Change History (1)

comment:1 by Ruslan Ermilov, 12 years ago

Resolution: wontfix
Status: newclosed

It's Linux packages that are signed by the key you mentioned.

The source tarballs can be signed by any of the keys listed here:
http://www.nginx.org/en/pgp_keys.html

Note: See TracTickets for help on using tickets.