Opened 4 months ago

Closed 3 months ago

#2378 closed defect (worksforme)

Can't validate bgp signature of source code version 1.22 and higher.

Reported by: byjg@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.22.x
Keywords: Cc:
uname -a: Linux d95eb4a664d3 5.15.0-46-generic #49-Ubuntu SMP Thu Aug 4 18:03:25 UTC 2022 x86_64 Linux
nginx -V: I am having issues compiling Nginx

Description

Up to version 1.21.6 I was able to validate the BGP signature using the commands:

GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8
NGINX_VERSION=1.21.6

gpg --keyserver "keyserver.ubuntu.com" --keyserver-options timeout=10 --recv-keys "$GPG_KEYS"

curl -sfSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz -o nginx.tar.gz
curl -sfSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz.asc  -o nginx.tar.gz.asc
gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz

However, if I change NGNIX_VERSION to 1.22.0, 1.23.0 or 1.23.1 I got the following error:

gpg: Signature made Tue May 24 14:30:07 2022 UTC
gpg:                using RSA key 13C82A63B603576156E30A4EA0EA981B66B0D967
gpg:                issuer "k.pavlov@f5.com"
gpg: Can't check signature: No public key

I tried to find the new gpg key but I couldn't.

Could you help me?

Change History (1)

comment:1 by thresh, 3 months ago

Resolution: worksforme
Status: newclosed

Hello!

The public key used to sign the tarballs has changed as you have noticed. It's published on both https://nginx.org/en/pgp_keys.html and keyserver.ubuntu.com via GPG.

The currently used signing key is: 13C82A63B603576156E30A4EA0EA981B66B0D967, and belongs to me, Konstantin Pavlov.

Note: See TracTickets for help on using tickets.