Mercurial > hg > nginx-site
changeset 2662:e4d370d43176
Linux packages: removed apt-key usage to import gpg keys on Debian/Ubuntu.
apt-key is deprecated since 2017 and will be removed after Debian 11 and Ubuntu 22.04.
All distributions since at least 2013 support storing trusted keys in
/etc/apt/trusted.gpg.d/ instead, so using it should be safe.
A special workaround is added for Ubuntu 16.04 shipping gnupg 2.1, which is not
compatible with the CLI invocation we use.
| author | Konstantin Pavlov <thresh@nginx.com> |
|---|---|
| date | Wed, 17 Feb 2021 16:39:40 +0300 |
| parents | 991cf4287c36 |
| children | a33d8f0f48b2 |
| files | xml/en/linux_packages.xml xml/ru/linux_packages.xml |
| diffstat | 2 files changed, 65 insertions(+), 29 deletions(-) [+] |
line wrap: on
line diff
--- a/xml/en/linux_packages.xml +++ b/xml/en/linux_packages.xml @@ -7,7 +7,7 @@ <article name="nginx: Linux packages" link="/en/linux_packages.html" lang="en" - rev="56"> + rev="57"> <section name="Supported distributions and versions" id="distributions"> @@ -236,23 +236,29 @@ echo -e "Package: *\nPin: origin nginx.o </programlisting> Next, import an official nginx signing key so apt could verify the packages -authenticity: +authenticity. +Fetch the key: <programlisting> -curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add - +curl -o /tmp/nginx_signing.key https://nginx.org/keys/nginx_signing.key </programlisting> -Verify that you now have the proper key: +Verify that the downloaded file contains the proper key: <programlisting> -sudo apt-key fingerprint ABF5BD827BD9BF62 +gpg --dry-run --quiet --import --import-options import-show /tmp/nginx_signing.key </programlisting> The output should contain the full fingerprint -<command>573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62</command> +<command>573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62</command> as follows: <programlisting> pub rsa2048 2011-08-19 [SC] [expires: 2024-06-14] - 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62 -uid [ unknown] nginx signing key <signing-key@nginx.com> + 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 +uid nginx signing key <signing-key@nginx.com> +</programlisting> + +Finally, move the key to apt trusted key storage (note the "asc" file extension change): +<programlisting> +sudo mv /tmp/nginx_signing.key /etc/apt/trusted.gpg.d/nginx_signing.asc </programlisting> To install nginx, run the following commands: @@ -295,23 +301,34 @@ echo -e "Package: *\nPin: origin nginx.o </programlisting> Next, import an official nginx signing key so apt could verify the packages -authenticity: +authenticity. +Fetch the key: <programlisting> -curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add - +curl -o /tmp/nginx_signing.key https://nginx.org/keys/nginx_signing.key </programlisting> -Verify that you now have the proper key: +Verify that the downloaded file contains the proper key: <programlisting> -sudo apt-key fingerprint ABF5BD827BD9BF62 +gpg --dry-run --quiet --import --import-options show-only /tmp/nginx_signing.key +</programlisting> + +Note: on Ubuntu 16.04, use the following command instead: +<programlisting> +gpg --with-fingerprint /tmp/nginx_signing.key </programlisting> The output should contain the full fingerprint -<command>573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62</command> +<command>573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62</command> as follows: <programlisting> pub rsa2048 2011-08-19 [SC] [expires: 2024-06-14] - 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62 -uid [ unknown] nginx signing key <signing-key@nginx.com> + 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 +uid nginx signing key <signing-key@nginx.com> +</programlisting> + +Finally, move the key to apt trusted key storage (note the "asc" file extension change): +<programlisting> +sudo mv /tmp/nginx_signing.key /etc/apt/trusted.gpg.d/nginx_signing.asc </programlisting> To install nginx, run the following commands:
--- a/xml/ru/linux_packages.xml +++ b/xml/ru/linux_packages.xml @@ -7,7 +7,7 @@ <article name="nginx: пакеты для Linux" link="/ru/linux_packages.html" lang="ru" - rev="56"> + rev="57"> <section name="Поддерживаемые дистрибутивы и версии" id="distributions"> @@ -235,22 +235,29 @@ echo -e "Package: *\nPin: origin nginx.o </programlisting> Теперь нужно импортировать официальный ключ, -используемый apt для проверки подлинности пакетов: +используемый apt для проверки подлинности пакетов. +Скачайте ключ: <programlisting> -curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add - +curl -o /tmp/nginx_signing.key https://nginx.org/keys/nginx_signing.key </programlisting> -Проверьте, верный ли ключ был импортирован: +Проверьте, верный ли ключ был загружен: <programlisting> -sudo apt-key fingerprint ABF5BD827BD9BF62 +gpg --dry-run --quiet --import --import-options import-show /tmp/nginx_signing.key </programlisting> Вывод команды должен содержать полный отпечаток ключа -<command>573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62</command>: +<command>573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62</command>: <programlisting> pub rsa2048 2011-08-19 [SC] [expires: 2024-06-14] - 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62 uid [ unknown] nginx signing key <signing-key@nginx.com> + 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 +uid nginx signing key <signing-key@nginx.com> +</programlisting> + +Переместите ключ в каталог доверенных ключей apt (обратите внимание на изменение расширения "asc"): +<programlisting> +sudo mv /tmp/nginx_signing.key /etc/apt/trusted.gpg.d/nginx_signing.asc </programlisting> Чтобы установить nginx, выполните следующие команды: @@ -292,23 +299,35 @@ echo -e "Package: *\nPin: origin nginx.o | sudo tee /etc/apt/preferences.d/99nginx </programlisting> -Теперь нужно импортировать официальный ключ, используемый apt для проверки -подлинности пакетов: +Теперь нужно импортировать официальный ключ, +используемый apt для проверки подлинности пакетов. +Скачайте ключ: <programlisting> -curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add - +curl -o /tmp/nginx_signing.key https://nginx.org/keys/nginx_signing.key </programlisting> -Проверьте, верный ли ключ был импортирован: +Проверьте, верный ли ключ был загружен: <programlisting> -sudo apt-key fingerprint ABF5BD827BD9BF62 +gpg --dry-run --quiet --import --import-options import-show /tmp/nginx_signing.key +</programlisting> + +На Ubuntu 16.04, выполните следующую команду вместо предыдущей: +<programlisting> +gpg --with-fingerprint /tmp/nginx_signing.key </programlisting> Вывод команды должен содержать полный отпечаток ключа -<command>573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62</command>: +<command>573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62</command>: <programlisting> pub rsa2048 2011-08-19 [SC] [expires: 2024-06-14] - 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62 uid [ unknown] nginx signing key <signing-key@nginx.com> + 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 +uid nginx signing key <signing-key@nginx.com> +</programlisting> + +Переместите ключ в каталог доверенных ключей apt (обратите внимание на изменение расширения "asc"): +<programlisting> +sudo mv /tmp/nginx_signing.key /etc/apt/trusted.gpg.d/nginx_signing.asc </programlisting> Чтобы установить nginx, выполните следующие команды: