If you use NGINX Plus, NGINX Amplify, or the prebuilt open source NGINX binaries from nginx.org, you might need to update the GPG key for your NGINX software now.
The keys for some NGINX software – specifics are explained below – will expire on Wednesday, August 17th, and you won’t be able to verify your software signatures until you’ve updated your key. This announcement does not affect you if you obtain open source NGINX from providers other than NGINX, Inc. – for example, in operating system distributions.
A GPG key is part of Gnu Privacy Guard, or GnuPG. GnuPG is a free implementation of the OpenPGP standard – widely known as PGP. GPG keys are used to verify that the packages in a repo were authored by the owner of the key.
Who Needs to Update the Key?
NGINX, Inc. uses GPG keys on its RPM packages and Debian/Ubuntu repositories so that you can verify the integrity and origin of the downloaded package. Many users of GPG keys set their keys to expire periodically, and the GPG key for NGINX, Inc. expires this coming August 17th. So you need to update your GPG key if you:
- Use NGINX Plus
- Use NGINX Amplify
- Use open source NGINX binaries provided by NGINX, Inc.
You do not need to update your GPG key if you use open source NGINX that is:
- From an operating system package. Most operating systems include NGINX in their repositories.
- Compiled by you from source. You can verify the source package signature directly using the
Updating the GPG Key
To switch to the updated key, simply refetch and reimport the key. The process differs by operating system.
Updating the Key on Debian/Ubuntu
If you have misconfigured keys, you will see one of the following errors when you run
nginx/x86_64/signature | 2.9 kB 00:00:10 !!! http://nginx.org/packages/mainline/centos/7/x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for nginx
nginx/x86_64/signature | 2.9 kB 00:00:00 !!! http://nginx.org/packages/mainline/centos/7/x86_64/repodata/repomd.xml: [Errno -1] Gpg Keys not imported, cannot verify repomd.xml for repo nginx
To update your key, download the new GPG key and overwrite the old one:
# curl -O https://nginx.org/keys/nginx_signing.key && apt-key add ./nginx_signing.key
To verify the expiration date on the new key, run
# apt-key list ... pub 2048R/7BD9BF62 2011-08-19 [expires: 2024-06-14] uid nginx signing key <email@example.com> ...
Updating the Key on Amazon Linux, CentOS, Oracle Linux, RHEL, and SLES
Check if your repository is configured to check and validate GPG keys. By default, the check is disabled for NGINX and NGINX Plus repositories, but enabled for NGINX Amplify repositories. The check is disabled if your yum repository files in /etc/yum.repos.d include the following line:
Here’s a sample repository file, /etc/yum.repos.d/nginx.repo, with the check disabled:
[nginx] name=nginx repo baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/ gpgcheck=0 enabled=1
In this case, no action is needed. (Note that with the check disabled, you see a warning when you install new packages, but the installation still succeeds.)
If you have explicitly configured the GPG check, you need to replace the key.
You can check the authenticity of locally downloaded packages by running the
If the key is missing, you see this error:
# rpm -K nginx-1.11.3-1.el7.ngx.x86_64.rpm nginx-1.11.3-1.el7.ngx.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#7bd9bf62)
If the key is correctly configured, you see this message:
# rpm -K nginx-1.11.3-1.el7.ngx.x86_64.rpm nginx-1.11.3-1.el7.ngx.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
Perform the following steps to update the GPG key:
Check if you currently have the NGINX GPG key installed:
# rpm -qi gpg-pubkey-7bd9bf62-*
If the key is installed, the output includes the release number and build date:
... Release : 5762b5f8 ... Build Date : Fri 19 Aug 2011 05:52:34 AM EDT ...
If it is not installed, this message appears:
package gpg-pubkey-7bd9bf62-* is not installed
Remove the current NGINX GPG key:
# rpm -e --allmatches gpg-pubkey-7bd9bf62-*
Download and install the new key:
# curl -O https://nginx.org/keys/nginx_signing.key # rpm --import ./nginx_signing.key
(There is no confirming output on these platforms.)
Check the release and build date information for new GPG key:
# rpm -qi gpg-pubkey-7bd9bf62-* ... Release : 4e4e3262 ... Build Date : Thu 16 Jun 2016 10:21:44 AM EDT
Updating the Key on FreeBSD
The FreeBSD package management system does not use a GPG key, so no action is necessary.
Verifying the Authenticity of a GPG Key
You can additionally verify the authenticity of the downloaded GPG key. GPG uses the “Web of trust” concept: a key can be signed with someone else’s key, which in turn is signed by another key, and so on.
This approach often makes it possible to build a chain between an arbitrary key and the key of someone you know and trust personally, thus verifying the authenticity of the first key in the chain. This concept is described in detail in the GPG Mini Howto. Keys from NGINX, Inc. have enough signatures that their authenticity is relatively easy to check.
To get support while updating your GPG key: