Opened 12 years ago
Closed 12 years ago
#205 closed defect (wontfix)
nginx-1.2.3.tar.gz signed with wrong key
Reported by: | Chris Riddoch | Owned by: | somebody |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | nginx-package | Version: | 1.2.x |
Keywords: | gpg signature | Cc: | |
uname -a: | |||
nginx -V: |
nginx version: nginx/1.2.3
built by gcc 4.6.2 (SUSE Linux) |
Description
The website shows that the following GPG key can be expected to be used for signing packages:
pub 2048R/7BD9BF62 2011-08-19 [expires: 2016-08-17]
uid nginx signing key <signing-key@…>
The actual signature is this:
gpg: Signature made Tue 07 Aug 2012 06:37:14 AM MDT using RSA key ID A1C052F8
gpg: Good signature from "Maxim Dounin <mdounin@…>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8
I presume it's trustworthy anyway. ;) Still, should be simple to fix.
It's Linux packages that are signed by the key you mentioned.
The source tarballs can be signed by any of the keys listed here:
http://www.nginx.org/en/pgp_keys.html