Opened 20 months ago
Closed 20 months ago
#2378 closed defect (worksforme)
Can't validate bgp signature of source code version 1.22 and higher.
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.22.x |
| Keywords: | Cc: | ||
| uname -a: | Linux d95eb4a664d3 5.15.0-46-generic #49-Ubuntu SMP Thu Aug 4 18:03:25 UTC 2022 x86_64 Linux | ||
| nginx -V: | I am having issues compiling Nginx | ||
Description
Up to version 1.21.6 I was able to validate the BGP signature using the commands:
GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 NGINX_VERSION=1.21.6 gpg --keyserver "keyserver.ubuntu.com" --keyserver-options timeout=10 --recv-keys "$GPG_KEYS" curl -sfSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz -o nginx.tar.gz curl -sfSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz.asc -o nginx.tar.gz.asc gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz
However, if I change NGNIX_VERSION to 1.22.0, 1.23.0 or 1.23.1 I got the following error:
gpg: Signature made Tue May 24 14:30:07 2022 UTC gpg: using RSA key 13C82A63B603576156E30A4EA0EA981B66B0D967 gpg: issuer "k.pavlov@f5.com" gpg: Can't check signature: No public key
I tried to find the new gpg key but I couldn't.
Could you help me?
Note:
See TracTickets
for help on using tickets.
Hello!
The public key used to sign the tarballs has changed as you have noticed. It's published on both https://nginx.org/en/pgp_keys.html and keyserver.ubuntu.com via GPG.
The currently used signing key is: 13C82A63B603576156E30A4EA0EA981B66B0D967, and belongs to me, Konstantin Pavlov.