nginx-site: xml/en/linux_packages.xml comparison

comparison xml/en/linux_packages.xml @ 2322:bb03e6ac2f16

Added per-distro instructions on how to enable packages signature checks.

author	Konstantin Pavlov <thresh@videolan.org>
date	Wed, 30 Jan 2019 13:04:46 +0300
parents	580c3007d242
children	eaef8f4ca921

comparison

equal deleted inserted replaced

-:580c3007d242
+:bb03e6ac2f16
 <!DOCTYPE article SYSTEM "../../dtd/article.dtd">
 <article name="nginx: Linux packages"
 link="/en/linux_packages.html"
 lang="en"
-rev="30"
+rev="31"
 toc="no">
 <section id="distributions">
 <para>
 </table>
 </para>
 <para>
-To enable automatic updates of Linux packages
+Before you install nginx for the first time on a new machine, you need to
-set up the yum repository for the RHEL/CentOS distributions,
+set up the nginx packages repository.
-the apt repository for the Debian/Ubuntu distributions,
+Afterward, you can install and update nginx from the repository.
-or the zypper repository for SLES.
+</para>
-</para>
+</section>
-</section>
+<section name="Installation instructions" id="instructions">
-<section name="Pre-Built Packages for Stable version" id="stable">
+<section name="RHEL/CentOS" id="RHEL-CentOS">
-<para>
-To set up the yum repository for RHEL/CentOS, create the file named
+<para>
+Install the prerequisites:
+<programlisting>
+sudo yum install yum-utils
+</programlisting>
+To set up the yum repository, create the file named
 <path>/etc/yum.repos.d/nginx.repo</path>
 with the following contents:
 <programlisting>
-[nginx]
+[nginx-stable]
-name=nginx repo
+name=nginx stable repo
-baseurl=http://nginx.org/packages/OS/OSRELEASE/$basearch/
+baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
-gpgcheck=0
+gpgcheck=1
 enabled=1
-</programlisting>
+gpgkey=https://nginx.org/keys/nginx_signing.key
-Replace “<literal>OS</literal>” with “<literal>rhel</literal>” or
+[nginx-mainline]
-“<literal>centos</literal>”,
+name=nginx mainline repo
-depending on the distribution used, and “<literal>OSRELEASE</literal>”
+baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
-with “<literal>6</literal>” or “<literal>7</literal>”, for 6.x or 7.x versions,
+gpgcheck=1
-respectively.
+enabled=0
-</para>
+gpgkey=https://nginx.org/keys/nginx_signing.key
+</programlisting>
-<para>
-For Debian/Ubuntu, in order to authenticate the nginx repository signature
+By default, the repository for stable nginx packages is used.
-and to eliminate warnings about missing PGP key during installation of the
+If you would like to use mainline nginx packages, run the following command:
-nginx package, it is necessary to add the key used to sign the nginx
+<programlisting>
-packages and repository to the <command>apt</command> program keyring.
+sudo yum-config-manager --enable nginx-mainline
-Please download <link url="/keys/nginx_signing.key">this
+</programlisting>
-key</link> from our web site, and add it to the <command>apt</command>
-program keyring with the following command:
+To install nginx, run the following command:
 <programlisting>
-sudo apt-key add nginx_signing.key
+sudo yum install nginx
 </programlisting>
-</para>
+When prompted to accept the GPG key, verify that the fingerprint matches
-<para>
+<command>573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62</command>,
-For Debian replace <i>codename</i> with Debian distribution
+and if so, accept it.
-<link id="distributions">codename</link>, and append the following to
+</para>
-the end of the <path>/etc/apt/sources.list</path> file:
+</section>
-<programlisting>
-deb http://nginx.org/packages/debian/ <i>codename</i> nginx
-deb-src http://nginx.org/packages/debian/ <i>codename</i> nginx
+<section name="Debian" id="Debian">
-</programlisting>
-</para>
+<para>
+Install the prerequisites:
-<para>
+<programlisting>
-For Ubuntu replace <i>codename</i> with Ubuntu distribution
+sudo apt install curl gnupg2 ca-certificates lsb-release
-<link id="distributions">codename</link>, and append the following to
+</programlisting>
-the end of the <path>/etc/apt/sources.list</path> file:
+To set up the apt repository for stable nginx packages,
-<programlisting>
+run the following command:
-deb http://nginx.org/packages/ubuntu/ <i>codename</i> nginx
+<programlisting>
-deb-src http://nginx.org/packages/ubuntu/ <i>codename</i> nginx
+echo "deb http://nginx.org/packages/debian `lsb_release -cs` nginx" \
-</programlisting>
+| sudo tee /etc/apt/sources.list.d/nginx.list
-</para>
+</programlisting>
-<para>
+If you would like to use mainline nginx packages,
-For Debian/Ubuntu then run the following commands:
+run the following command instead:
 <programlisting>
-apt-get update
+echo "deb http://nginx.org/packages/mainline/debian `lsb_release -cs` nginx" \
-apt-get install nginx
+| sudo tee /etc/apt/sources.list.d/nginx.list
 </programlisting>
-</para>
+Next, import an official nginx signing key so apt could verify the packages
-<para>
+authenticity:
-For SLES 12 run the following command:
+<programlisting>
-<programlisting>
+curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add -
-zypper addrepo -G -t yum -c 'http://nginx.org/packages/sles/12' nginx
+</programlisting>
-</programlisting>
-</para>
+Verify that you now have the proper key:
+<programlisting>
-<para>
+sudo apt-key fingerprint ABF5BD827BD9BF62
-For SLES 15 run the following command:
+</programlisting>
-<programlisting>
-zypper addrepo -G -t yum -c 'http://nginx.org/packages/sles/15' nginx
+The output should contain the full fingerprint
-</programlisting>
+<command>573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62</command>
-</para>
+as follows:
+<programlisting>
-</section>
+pub   rsa2048 2011-08-19 [SC] [expires: 2024-06-14]
+573B FD6B 3D8F BC64 1079  A6AB ABF5 BD82 7BD9 BF62
+uid   [ unknown] nginx signing key &lt;signing-key@nginx.com&gt;
-<section name="Pre-Built Packages for Mainline version" id="mainline">
+</programlisting>
-<para>
+To install nginx, run the following commands:
-To set up the yum repository for RHEL/CentOS, create the file named
+<programlisting>
-<path>/etc/yum.repos.d/nginx.repo</path>
+sudo apt update
-with the following contents:
+sudo apt install nginx
+</programlisting>
-<programlisting>
+</para>
-[nginx]
-name=nginx repo
+</section>
-baseurl=http://nginx.org/packages/mainline/OS/OSRELEASE/$basearch/
-gpgcheck=0
-enabled=1
+<section name="Ubuntu" id="Ubuntu">
-</programlisting>
+<para>
-Replace “<literal>OS</literal>” with “<literal>rhel</literal>” or
+Install the prerequisites:
-“<literal>centos</literal>”,
+<programlisting>
-depending on the distribution used, and “<literal>OSRELEASE</literal>”
+sudo apt install curl gnupg2 ca-certificates lsb-release
-with “<literal>6</literal>” or “<literal>7</literal>”, for 6.x or 7.x versions,
+</programlisting>
-respectively.
-</para>
+To set up the apt repository for stable nginx packages,
+run the following command:
-<para>
+<programlisting>
-For Debian/Ubuntu, in order to authenticate the nginx repository signature
+echo "deb http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
-and to eliminate warnings about missing PGP key during installation of the
+| sudo tee /etc/apt/sources.list.d/nginx.list
-nginx package, it is necessary to add the key used to sign the nginx
+</programlisting>
-packages and repository to the <command>apt</command> program keyring.
-Please download <link url="/keys/nginx_signing.key">this
+If you would like to use mainline nginx packages,
-key</link> from our web site, and add it to the <command>apt</command>
+run the following command instead:
-program keyring with the following command:
+<programlisting>
-<programlisting>
+echo "deb http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" \
-sudo apt-key add nginx_signing.key
+| sudo tee /etc/apt/sources.list.d/nginx.list
 </programlisting>
-</para>
+Next, import an official nginx signing key so apt could verify the packages
-<para>
+authenticity:
-For Debian replace <i>codename</i> with Debian distribution
+<programlisting>
-<link id="distributions">codename</link>, and append the following to
+curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add -
-the end of the <path>/etc/apt/sources.list</path> file:
+</programlisting>
-<programlisting>
+Verify that you now have the proper key:
-deb http://nginx.org/packages/mainline/debian/ <i>codename</i> nginx
+<programlisting>
-deb-src http://nginx.org/packages/mainline/debian/ <i>codename</i> nginx
+sudo apt-key fingerprint ABF5BD827BD9BF62
 </programlisting>
-</para>
+The output should contain the full fingerprint
-<para>
+<command>573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62</command>
-For Ubuntu replace <i>codename</i> with Ubuntu distribution
+as follows:
-<link id="distributions">codename</link>, and append the following to
+<programlisting>
-the end of the <path>/etc/apt/sources.list</path> file:
+pub   rsa2048 2011-08-19 [SC] [expires: 2024-06-14]
+573B FD6B 3D8F BC64 1079  A6AB ABF5 BD82 7BD9 BF62
-<programlisting>
+uid   [ unknown] nginx signing key &lt;signing-key@nginx.com&gt;
-deb http://nginx.org/packages/mainline/ubuntu/ <i>codename</i> nginx
+</programlisting>
-deb-src http://nginx.org/packages/mainline/ubuntu/ <i>codename</i> nginx
-</programlisting>
+To install nginx, run the following commands:
-</para>
+<programlisting>
+sudo apt update
-<para>
+sudo apt install nginx
-For Debian/Ubuntu then run the following commands:
+</programlisting>
-<programlisting>
+</para>
-apt-get update
-apt-get install nginx
+</section>
-</programlisting>
-</para>
+<section name="SLES" id="SLES">
-<para>
-For SLES 12 run the following command:
+<para>
-<programlisting>
+Install the prerequisites:
-zypper addrepo -G -t yum -c 'http://nginx.org/packages/mainline/sles/12' nginx
+<programlisting>
-</programlisting>
+sudo zypper install curl ca-certificates gpg2
-</para>
+</programlisting>
-<para>
+To set up the zypper repository for stable nginx packages,
-For SLES 15 run the following command:
+run the following command:
 <programlisting>
-zypper addrepo -G -t yum -c 'http://nginx.org/packages/mainline/sles/15' nginx
+sudo zypper addrepo --gpgcheck --type yum --refresh --check \
-</programlisting>
+'http://nginx.org/packages/sles/$releasever' nginx-stable
-</para>
+</programlisting>
+If you would like to use mainline nginx packages,
+run the following command instead:
+<programlisting>
+sudo zypper addrepo --gpgcheck --type yum --refresh --check \
+'http://nginx.org/packages/mainline/sles/$releasever' nginx-mainline
+</programlisting>
+Next, import an official nginx signing key so zypper/rpm could verify
+the packages authenticity.
+Fetch the key:
+<programlisting>
+curl -o /tmp/nginx_signing.key https://nginx.org/keys/nginx_signing.key
+</programlisting>
+Verify that the downloaded file contains the proper key:
+<programlisting>
+gpg --with-fingerprint /tmp/nginx_signing.key
+</programlisting>
+The output should contain the full fingerprint
+<command>573B FD6B 3D8F BC64 1079  A6AB ABF5 BD82 7BD9 BF62</command>
+as follows:
+<programlisting>
+pub  2048R/7BD9BF62 2011-08-19 [expires: 2024-06-14]
+Key fingerprint = 573B FD6B 3D8F BC64 1079  A6AB ABF5 BD82 7BD9 BF62
+uid nginx signing key &lt;signing-key@nginx.com&gt;
+</programlisting>
+Finally, import the key to the rpm database:
+<programlisting>
+sudo rpmkeys --import /tmp/nginx_signing.key
+</programlisting>
+To install nginx, run the following command:
+<programlisting>
+sudo zypper install nginx
+</programlisting>
+</para>
+</section>
 </section>
 <section name="Source Packages" id="sourcepackages">
 </section>
 <section name="Signatures" id="signatures">
-<para>
-Both RPM packages and Debian/Ubuntu repositories use digital signatures
-to verify the integrity and origin of the downloaded package.
-In order to check a signature it is necessary to download
-<link url="/keys/nginx_signing.key">nginx signing key</link>
-and import it to the <command>rpm</command> or <command>apt</command>
-program’s keyring:
-<list type="bullet">
-<listitem>
-On Debian/Ubuntu:
-<programlisting>sudo apt-key add nginx_signing.key</programlisting>
-</listitem>
-<listitem>
-On RHEL/CentOS:
-<programlisting>sudo rpm --import nginx_signing.key</programlisting>
-</listitem>
-<listitem>
-On SLES:
-<programlisting>sudo rpm --import nginx_signing.key</programlisting>
-</listitem>
-</list>
-</para>
-<para>
-On Debian/Ubuntu/SLES signatures are checked by default, but
-on RHEL/CentOS it is necessary to set
-<programlisting>gpgcheck=1</programlisting> in the
-<path>/etc/yum.repos.d/nginx.repo</path> file.
-</para>
 <para>
 Since our <link doc="../en/pgp_keys.xml">PGP keys</link>
 and packages are located on the same server,
 they are equally trusted.

Mercurial > hg > nginx-site

comparison xml/en/linux_packages.xml @ 2322:bb03e6ac2f16