Skip to content

Commit a6f7d14

Browse files
thresheekthresheek
committed
Updated GPG keys used to sign packages
Prebuilt binaries from nginx.org are to be signed with different keys moving forward. This change introduces two new 4096-bit RSA keys (aptly named "signing key 2" and "signing key 3") that will be used for that process. The keys can be fetched from nginx.org, too: $ curl -s https://nginx.org/keys/nginx_signing.key | gpg --show-keys - pub rsa4096 2024-05-29 [SC] 8540A6F18833A80E9C1653A42FD21310B49F6B46 uid nginx signing key <[email protected]> pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24] 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 uid nginx signing key <[email protected]> pub rsa4096 2024-05-29 [SC] 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3 uid nginx signing key <[email protected]> As a nice side-effect, this allows us to re-fetch the older 2048-bit RSA key. It expired on Jun 14 2024, but was extended to be valid for another three years) still used to sign current packages. Unfortunately the key with the extended validity period was uploaded to the keyservers a bit too late to be picked up by current image builds, resulting in somewhat unexpected breakages for downstream images.
1 parent 1717492 commit a6f7d14

File tree

3 files changed

+12
-6
lines changed

3 files changed

+12
-6
lines changed

Dockerfile-debian.template

+4-2
Original file line numberDiff line numberDiff line change
@@ -14,10 +14,11 @@ RUN set -x \
1414
&& apt-get update \
1515
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
1616
&& \
17-
NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
17+
NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
1818
NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
1919
export GNUPGHOME="$(mktemp -d)"; \
2020
found=''; \
21+
for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
2122
for server in \
2223
hkp://keyserver.ubuntu.com:80 \
2324
pgp.mit.edu \
@@ -26,7 +27,8 @@ RUN set -x \
2627
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
2728
done; \
2829
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
29-
gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
30+
done; \
31+
gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
3032
rm -rf "$GNUPGHOME"; \
3133
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
3234
&& dpkgArch="$(dpkg --print-architecture)" \

mainline/debian/Dockerfile

+4-2
Original file line numberDiff line numberDiff line change
@@ -19,10 +19,11 @@ RUN set -x \
1919
&& apt-get update \
2020
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
2121
&& \
22-
NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
22+
NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
2323
NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
2424
export GNUPGHOME="$(mktemp -d)"; \
2525
found=''; \
26+
for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
2627
for server in \
2728
hkp://keyserver.ubuntu.com:80 \
2829
pgp.mit.edu \
@@ -31,7 +32,8 @@ RUN set -x \
3132
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
3233
done; \
3334
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
34-
gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
35+
done; \
36+
gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
3537
rm -rf "$GNUPGHOME"; \
3638
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
3739
&& dpkgArch="$(dpkg --print-architecture)" \

stable/debian/Dockerfile

+4-2
Original file line numberDiff line numberDiff line change
@@ -19,10 +19,11 @@ RUN set -x \
1919
&& apt-get update \
2020
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
2121
&& \
22-
NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
22+
NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
2323
NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
2424
export GNUPGHOME="$(mktemp -d)"; \
2525
found=''; \
26+
for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
2627
for server in \
2728
hkp://keyserver.ubuntu.com:80 \
2829
pgp.mit.edu \
@@ -31,7 +32,8 @@ RUN set -x \
3132
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
3233
done; \
3334
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
34-
gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
35+
done; \
36+
gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
3537
rm -rf "$GNUPGHOME"; \
3638
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
3739
&& dpkgArch="$(dpkg --print-architecture)" \

0 commit comments

Comments
 (0)