Opened 7 years ago

Closed 7 years ago

#291 closed defect (wontfix)

CentOS package doesn't actually use included PGP key

Reported by: tunedal@… Owned by: sb
Priority: major Milestone:
Component: other Version: 1.2.x
Keywords: Cc:
uname -a: Linux vserver 2.6.32-5-vserver-amd64 #1 SMP Sun May 6 06:53:58 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.2.6 built by gcc 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC) TLS SNI support enabled configure arguments: --prefix=/etc/nginx/ --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g'

Description

The CentOS and RHEL packages on the download page (http://nginx.org/en/download.html), which install a Yum repository for installing the actual package, include the signing key but are not configured to actually use it – they have "gpgcheck=0" in the repository configuration file.

Additionally, the manual instructions both there and on the wiki (http://wiki.nginx.org/Install) will set up a repository without signatures. It would be nice if they included a mention of, and link to, the PGP key.

Attachments (1)

nginx.repo.centos6.patch (289 bytes) - added by tunedal@… 7 years ago.
Patch for CentOS 6

Download all attachments as: .zip

Change History (3)

comment:1 Changed 7 years ago by maxim

  • Owner set to sb
  • Status changed from new to assigned

Changed 7 years ago by tunedal@…

Patch for CentOS 6

comment:2 Changed 7 years ago by fabler

  • Resolution set to wontfix
  • Status changed from assigned to closed

Yes, rpm packages signature check is optional now, because enabling gpgcheck in yum.conf will not improve security by itself, since you download pgp key from same location as rpm package, so it is as trustworthy as package itself. If you are security aware, you should check key's signatures too.

On the other hand enabling gpgcheck will result in prompting for key import on package installation and this may confuse inexperienced user.

So it is up to end user.

Note: See TracTickets for help on using tickets.