Updating the PGP Key for NGINX Software

by

in

If you use the prebuilt NGINX Open Source binaries from nginx.org, or are an NGINX Plus user, you need to update the PGP key for your software now.

PGP keys are public encryption keys used to sign NGINX packages and the package repositories’ metadata. They assure the authenticity and integrity of the software packages.

Who Needs to Update the Key?

NGINX uses PGP keys on its RPM packages and Debian/Ubuntu repositories so that you can verify the integrity and origin of downloaded packages. Many users of PGP keys set their keys to expire periodically, and the PGP key for NGINX expires this coming June 14, 2024.

You need to update your PGP key if you:

  • Use NGINX Open Source packages provided by NGINX
  • Use NGINX Plus (with or without NGINX App Protect)

You do not need to update your PGP key if you use NGINX Open Source obtained from an operating system package.

Going forward, we will rotate the PGP signing key every two years.

Updating the PGP Key

To switch to the updated key, simply refetch and reimport the key. The process to update the PGP key however differs by operating system.

Updating the Key on Debian/Ubuntu

To update your PGP key on Debian/Ubuntu distributions, download the new key and overwrite the old one.

curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null

Run the following to verify the expiration date of the new key.

gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg

Updating the Key on Amazon Linux, CentOS, Oracle Linux, RHEL, and SLES

Verify if your NGINX or NGINX Plus repository is configured to check and validate PGP keys. The check is disabled by default.

The check is disabled if your YUM repository file includes the following line:

gpgcheck=0

If you have explicitly configured the GPG check (gpgcheck=1), you need to replace the PGP key.

You can check the authenticity of downloaded packages by running the rpm -K command.

Perform the following steps to update the key:

  1. Check if you have the NGINX PGP key installed.
sudo rpm -q gpg-pubkey-7bd9bf62-5762b5f8

2. If the NGINX PGP key is installed, remove it.

sudo rpm -e gpg-pubkey-7bd9bf62-5762b5f8

3. Download and install the new key.

curl -O https://nginx.org/keys/nginx_signing.key
sudo  rpm --import ./nginx_signing.key

Reach out to the NGINX Community

If you have questions regarding this PGP key update or other technical inquiries, you can use these resources: