Opened 8 years ago

Closed 8 years ago

#291 closed defect (wontfix)

CentOS package doesn't actually use included PGP key

Reported by: Henrik Tunedal Owned by: sb
Priority: major Milestone:
Component: other Version: 1.2.x
Keywords: Cc:
uname -a: Linux vserver 2.6.32-5-vserver-amd64 #1 SMP Sun May 6 06:53:58 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.2.6
built by gcc 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx/ --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g'

Description

The CentOS and RHEL packages on the download page (http://nginx.org/en/download.html), which install a Yum repository for installing the actual package, include the signing key but are not configured to actually use it – they have "gpgcheck=0" in the repository configuration file.

Additionally, the manual instructions both there and on the wiki (http://wiki.nginx.org/Install) will set up a repository without signatures. It would be nice if they included a mention of, and link to, the PGP key.

Attachments (1)

nginx.repo.centos6.patch (289 bytes ) - added by Henrik Tunedal 8 years ago.
Patch for CentOS 6

Download all attachments as: .zip

Change History (3)

comment:1 by maxim, 8 years ago

Owner: set to sb
Status: newassigned

by Henrik Tunedal, 8 years ago

Attachment: nginx.repo.centos6.patch added

Patch for CentOS 6

comment:2 by Sergey Budnevitch, 8 years ago

Resolution: wontfix
Status: assignedclosed

Yes, rpm packages signature check is optional now, because enabling gpgcheck in yum.conf will not improve security by itself, since you download pgp key from same location as rpm package, so it is as trustworthy as package itself. If you are security aware, you should check key's signatures too.

On the other hand enabling gpgcheck will result in prompting for key import on package installation and this may confuse inexperienced user.

So it is up to end user.

Note: See TracTickets for help on using tickets.