Commit a6f7d140 authored Jun 21, 2024 by Konstantin Pavlov Committed by Konstantin Pavlov Jun 21, 2024

Updated GPG keys used to sign packages

Prebuilt binaries from nginx.org are to be signed with different keys
moving forward.  This change introduces two new 4096-bit RSA keys (aptly
named "signing key 2" and "signing key 3") that will be used for that
process.

The keys can be fetched from nginx.org, too:

$ curl -s https://nginx.org/keys/nginx_signing.key | gpg --show-keys -
pub   rsa4096 2024-05-29 [SC]
      8540A6F18833A80E9C1653A42FD21310B49F6B46
uid                      nginx signing key <signing-key-2@nginx.com>

pub   rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
      573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid                      nginx signing key <signing-key@nginx.com>

pub   rsa4096 2024-05-29 [SC]
      9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3
uid                      nginx signing key <signing-key-3@nginx.com>

As a nice side-effect, this allows us to re-fetch the older 2048-bit RSA
key.  It expired on Jun 14 2024, but was extended to be valid for
another three years) still used to sign current packages.  Unfortunately
the key with the extended validity period was uploaded to the keyservers
a bit too late to be picked up by current image builds, resulting in
somewhat unexpected breakages for downstream images.

parent 1717492f

No related branches found

No related tags found

Show whitespace changes

Inline Side-by-side

Showing with 12 additions and 6 deletions

Please to comment