http://nginx.org/en/download.html
When I went to validate the PGP signatures, I observed this message being returned:
"Can't check signature: No public key"
https://gnupg.org/download/integrity_check.html
"If the output of the above command [contains "Can't check signature: No public key"], then either you don't have [the correct] distribution keys...or the signature was generated by someone else and the file should be treated suspiciously."
After checking this web page...
http://nginx.org/en/pgp_keys.html
I downloaded the public key
nginx public key (used for signing packages and repositories)
http://nginx.org/keys/nginx_signing.key
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux)
mQENBE5OMmIBCAD+FPYKGriGGf7NqwKfWC83cBV01gabgVWQmZbMcFzeW+hMsgxHmQENBE5OMmIBCAD+FPYKGriGGf7NqwKfWC83cBV01gabgVWQmZbMcFzeW+hMsgxH W6iimD0RsfZ9oEbfJCPG0CRSZ7ppq5pKamYs2+EJ8Q2ysOFHHwpGrA2C8zyNAs4I fDR+Eny/M1RVR4xClECONF9UBB2ejFdI1LD45APbP2hsN/piFByU1t7yK2gpFyRt QxnZZIbETgcSwFtDun0XiqPwPZgyuXVm9PAbLZRbfBzm8wR/3SWygqZBBLdQk5TE 97WzGHn9MV5/TL7AmRPM4pcr3JacmtCnxXeCZ8nLqedoSuHFuhwyDnlAbu8I16O5 CAIJCgsEFgIDAQIeAQIXgAUCV2K1+AUJGB4fQQAKCRCr9b2Ce9m/YloaB/9XGrol XRrfzhrHRJFM1JnIiGmzZi6zBvH0ItfyX6ttABEBAAG0KW5naW54IHNpZ25pbmcg a2V5IDxzaWduaW5nLWtleUBuZ2lueC5jb20+iQE+BBMBAgAoAhsDBgsJCAcDAgYV kocm7l/tsVjaBQCteXKuwsm4XhCuAQ6YAwA1L1UheGOG/aa2xJvrXE8X32tgcTjr oe/PD08AoAA6fxXvWjSxy+dGhEaXoTHjkCbz/l6NxrK3JFyauDgU4K4MytsZ1HDi KoYoXWcdxaFjlXGTt6jV85qRguUzvMOxxSEM2Dn115etN9piPl0Zz+4rkx8+2vJG F+eMlruPXg/zd88NvyLq5gGHEsFRBMVufYmHtNfcp4okC1klWiRIRSdp4QY1wdrN 1O+/oCTl8Bzy6hcHjLIq3aoumcLxMjtBoclc/5OTioLDwSDfVx7rWyfRhcBzVbwD MgMW8hZXxszoICTTiQEcBBABAgAGBQJOTkelAAoJEKZP1bF62zmo79oH/1XDb29S SO93vc1evIje6lguE81HHmJn9noxPItvOvSMb2yPsE8mH4cJHRTFNSEhPW6ghmlf YtWp+MTJTPFEwlWRiyRuDXy3wBd/BpwBRIWfWzMs1gnCjNjk0EVBVGa2grvy9Jtx JKMd6l/PWXVucSt+U/+GO8rBkw14SdhqxaS2l14v6gyMeUrSbY3XfToGfwHC4sa/ Thn8X4jFaQ2XN5dAIzJGU1s5JA0tjEzUwCnmrKmyMlXZaoQVrmORGjCuH0I0aAFk RS0UtnB9HPpxhGVbs24xXZQnZDNbUQeulFxS4uP3OLDBAeCHl+v4t/uotIad8v6J Wa9ZwiVX5igxcvaIRgQQEQIABgUCTk5b0gAKCRDs8OkLLBcgg1G+AKCnacLb/+W6 -----END PGP PUBLIC KEY BLOCK----- cflirUIExgZdUJqoogCeNPVwXiHEIVqithAM1pdY/gcaQZmIRgQQEQIABgUCTk5f YQAKCRCpN2E5pSTFPnNWAJ9gUozyiS+9jf2rJvqmJSeWuCgVRwCcCUFhXRCpQO2Y Va3l3WuB+rgKjsQ= =EWWI
But, still got an error message indicating that there were missing keys:
So, I imported the following keys from the same link at the top:
- Andrew Alexeev’s PGP public key
- Igor Sysoev’s PGP public key
- Maxim Dounin’s PGP public key
- Maxim Konovalov’s PGP public key
- Sergey Budnevitch’s PGP public key
And still got this warning:
I also tried specifying the "--openpgp" parameter, and still got a similar warning:
Here's the results of the "gpg --list-packets" command:
Additional Resources:
Background Reading/Research Notes:
- https://gnupg.org/gph/en/manual.html
- https://gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html#OpenPGP-Key-Management
- https://gnupg.org/gph/en/manual.html#AEN335
- https://www.dewinter.com/gnupg_howto/english/GPGMiniHowto.html
- https://gnupg.org/documentation/manuals/gnupg/Operational-GPG-Commands.html#Operational-GPG-Commands
- https://security.stackexchange.com/questions/150942/whys-the-public-key-block-different-although-fingerprint-is-same-for-gpg-keys
- https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key
- "A "trusted signature" is a signature from a key that you trust, either because (a) you have personally verified that it belongs to the person to whom it claims to belong, or (b) because it has been signed by a key that you trust, possibly through a series of intermediate keys."
- Note that the warning "This key is not certified with a trusted signature" basically means, "this thing could have been signed by anybody"
- To avoid this problem, you would presumably download the ISC GPG key from the website and either trust it ultimately ("I believe this entity can certify itself") or sign it with your ultimately-trusted private key.
- "Without proper management of key trust, signature verification is mostly theater"
- https://www.cyberciti.biz/faq/pgp-tarball-file-signature-keys-verification/
- https://www.f5.com/company/news/press-releases/f5-acquires-nginx-to-bridge-netops-devops
On Monday, I will track down the F5 CISO (or someone in their security architecture group) - and advise them of this concern (email sent to: info@f5.com) -
At a minimum, the http://nginx.org/download/nginx-1.17.0.zip.asc - should be a generated by an account with a public key.
7 comments:
have they given a response on this yet?
I never received a reply from them.
I have not checked to see if this was subsequently resolved.
On 2020-09-25 @ 20:17 I tested 1.19.2.zip pgp
gpg --verify --openpgp nginx-1.19.2.zip.asc nginx-1.19.2.zip
gpg: Signature made Tue Aug 11 07:55:15 2020 PDT using RSA key ID A1C052F8
gpg: Can't check signature: public key not found
Also checked
gpg --verify nginx-1.19.2.tar.gz.asc nginx-1.19.2.tar.gz
gpg: Signature made Tue Aug 11 07:55:09 2020 PDT using RSA key ID A1C052F8
gpg: Can't check signature: public key not found
gpg --import nginx_signing.key
gpg: key 7BD9BF62: public key "nginx signing key " imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: no ultimately trusted keys found
gpg --list-sig 7BD9BF62
pub 2048R/7BD9BF62 2011-08-19 [expires: 2024-06-14]
uid nginx signing key
sig 3 7BD9BF62 2016-06-16 nginx signing key
sig 7ADB39A8 2011-08-19 [User ID not found]
sig 2C172083 2011-08-19 [User ID not found]
sig A524C53E 2011-08-19 [User ID not found]
Read this thread:
How to Verifiy Nginx Source Tarball with GPG on Ubuntu Server
https://forum.nginx.org/read.php?11,279096
(still doesn't solve the problem...)
gpg --import maxim.key
gpg: key F54977D4: public key "Maxim Konovalov " imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: no ultimately trusted keys found
gpg --import sb.key
gpg: key 7ADB39A8: public key "Sergey Budnevitch " imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: no ultimately trusted keys found
gpg --import mdounin.key
gpg: key A1C052F8: public key "Maxim Dounin " imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: no ultimately trusted keys found
gpg --verify nginx-1.19.2.zip.asc nginx-1.19.2.zip
gpg: Signature made Tue Aug 11 07:55:15 2020 PDT using RSA key ID A1C052F8
gpg: Good signature from "Maxim Dounin "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8
Basically, no one has confirmed that these signatures are actually made by the people they purportedly represent.
What a fucking shit show.
Post a Comment