Mercurial > hg > nginx-site
comparison xml/en/linux_packages.xml @ 2322:bb03e6ac2f16
Added per-distro instructions on how to enable packages signature checks.
author | Konstantin Pavlov <thresh@videolan.org> |
---|---|
date | Wed, 30 Jan 2019 13:04:46 +0300 |
parents | 580c3007d242 |
children | eaef8f4ca921 |
comparison
equal
deleted
inserted
replaced
2321:580c3007d242 | 2322:bb03e6ac2f16 |
---|---|
5 <!DOCTYPE article SYSTEM "../../dtd/article.dtd"> | 5 <!DOCTYPE article SYSTEM "../../dtd/article.dtd"> |
6 | 6 |
7 <article name="nginx: Linux packages" | 7 <article name="nginx: Linux packages" |
8 link="/en/linux_packages.html" | 8 link="/en/linux_packages.html" |
9 lang="en" | 9 lang="en" |
10 rev="30" | 10 rev="31" |
11 toc="no"> | 11 toc="no"> |
12 | 12 |
13 <section id="distributions"> | 13 <section id="distributions"> |
14 | 14 |
15 <para> | 15 <para> |
118 | 118 |
119 </table> | 119 </table> |
120 </para> | 120 </para> |
121 | 121 |
122 <para> | 122 <para> |
123 To enable automatic updates of Linux packages | 123 Before you install nginx for the first time on a new machine, you need to |
124 set up the yum repository for the RHEL/CentOS distributions, | 124 set up the nginx packages repository. |
125 the apt repository for the Debian/Ubuntu distributions, | 125 Afterward, you can install and update nginx from the repository. |
126 or the zypper repository for SLES. | 126 </para> |
127 </para> | 127 |
128 | 128 </section> |
129 </section> | 129 |
130 | 130 |
131 | 131 <section name="Installation instructions" id="instructions"> |
132 <section name="Pre-Built Packages for Stable version" id="stable"> | 132 |
133 | 133 <section name="RHEL/CentOS" id="RHEL-CentOS"> |
134 <para> | 134 |
135 To set up the yum repository for RHEL/CentOS, create the file named | 135 <para> |
136 Install the prerequisites: | |
137 <programlisting> | |
138 sudo yum install yum-utils | |
139 </programlisting> | |
140 | |
141 To set up the yum repository, create the file named | |
136 <path>/etc/yum.repos.d/nginx.repo</path> | 142 <path>/etc/yum.repos.d/nginx.repo</path> |
137 with the following contents: | 143 with the following contents: |
138 | 144 |
139 <programlisting> | 145 <programlisting> |
140 [nginx] | 146 [nginx-stable] |
141 name=nginx repo | 147 name=nginx stable repo |
142 baseurl=http://nginx.org/packages/OS/OSRELEASE/$basearch/ | 148 baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ |
143 gpgcheck=0 | 149 gpgcheck=1 |
144 enabled=1 | 150 enabled=1 |
145 </programlisting> | 151 gpgkey=https://nginx.org/keys/nginx_signing.key |
146 | 152 |
147 Replace “<literal>OS</literal>” with “<literal>rhel</literal>” or | 153 [nginx-mainline] |
148 “<literal>centos</literal>”, | 154 name=nginx mainline repo |
149 depending on the distribution used, and “<literal>OSRELEASE</literal>” | 155 baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/ |
150 with “<literal>6</literal>” or “<literal>7</literal>”, for 6.x or 7.x versions, | 156 gpgcheck=1 |
151 respectively. | 157 enabled=0 |
152 </para> | 158 gpgkey=https://nginx.org/keys/nginx_signing.key |
153 | 159 </programlisting> |
154 <para> | 160 |
155 For Debian/Ubuntu, in order to authenticate the nginx repository signature | 161 By default, the repository for stable nginx packages is used. |
156 and to eliminate warnings about missing PGP key during installation of the | 162 If you would like to use mainline nginx packages, run the following command: |
157 nginx package, it is necessary to add the key used to sign the nginx | 163 <programlisting> |
158 packages and repository to the <command>apt</command> program keyring. | 164 sudo yum-config-manager --enable nginx-mainline |
159 Please download <link url="/keys/nginx_signing.key">this | 165 </programlisting> |
160 key</link> from our web site, and add it to the <command>apt</command> | 166 |
161 program keyring with the following command: | 167 To install nginx, run the following command: |
162 <programlisting> | 168 <programlisting> |
163 sudo apt-key add nginx_signing.key | 169 sudo yum install nginx |
164 </programlisting> | 170 </programlisting> |
165 </para> | 171 |
166 | 172 When prompted to accept the GPG key, verify that the fingerprint matches |
167 <para> | 173 <command>573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62</command>, |
168 For Debian replace <i>codename</i> with Debian distribution | 174 and if so, accept it. |
169 <link id="distributions">codename</link>, and append the following to | 175 </para> |
170 the end of the <path>/etc/apt/sources.list</path> file: | 176 |
171 | 177 </section> |
172 <programlisting> | 178 |
173 deb http://nginx.org/packages/debian/ <i>codename</i> nginx | 179 |
174 deb-src http://nginx.org/packages/debian/ <i>codename</i> nginx | 180 <section name="Debian" id="Debian"> |
175 </programlisting> | 181 |
176 </para> | 182 <para> |
177 | 183 Install the prerequisites: |
178 <para> | 184 <programlisting> |
179 For Ubuntu replace <i>codename</i> with Ubuntu distribution | 185 sudo apt install curl gnupg2 ca-certificates lsb-release |
180 <link id="distributions">codename</link>, and append the following to | 186 </programlisting> |
181 the end of the <path>/etc/apt/sources.list</path> file: | 187 |
182 | 188 To set up the apt repository for stable nginx packages, |
183 <programlisting> | 189 run the following command: |
184 deb http://nginx.org/packages/ubuntu/ <i>codename</i> nginx | 190 <programlisting> |
185 deb-src http://nginx.org/packages/ubuntu/ <i>codename</i> nginx | 191 echo "deb http://nginx.org/packages/debian `lsb_release -cs` nginx" \ |
186 </programlisting> | 192 | sudo tee /etc/apt/sources.list.d/nginx.list |
187 </para> | 193 </programlisting> |
188 | 194 |
189 <para> | 195 If you would like to use mainline nginx packages, |
190 For Debian/Ubuntu then run the following commands: | 196 run the following command instead: |
191 <programlisting> | 197 <programlisting> |
192 apt-get update | 198 echo "deb http://nginx.org/packages/mainline/debian `lsb_release -cs` nginx" \ |
193 apt-get install nginx | 199 | sudo tee /etc/apt/sources.list.d/nginx.list |
194 </programlisting> | 200 </programlisting> |
195 </para> | 201 |
196 | 202 Next, import an official nginx signing key so apt could verify the packages |
197 <para> | 203 authenticity: |
198 For SLES 12 run the following command: | 204 <programlisting> |
199 <programlisting> | 205 curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add - |
200 zypper addrepo -G -t yum -c 'http://nginx.org/packages/sles/12' nginx | 206 </programlisting> |
201 </programlisting> | 207 |
202 </para> | 208 Verify that you now have the proper key: |
203 | 209 <programlisting> |
204 <para> | 210 sudo apt-key fingerprint ABF5BD827BD9BF62 |
205 For SLES 15 run the following command: | 211 </programlisting> |
206 <programlisting> | 212 |
207 zypper addrepo -G -t yum -c 'http://nginx.org/packages/sles/15' nginx | 213 The output should contain the full fingerprint |
208 </programlisting> | 214 <command>573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62</command> |
209 </para> | 215 as follows: |
210 | 216 <programlisting> |
211 </section> | 217 pub rsa2048 2011-08-19 [SC] [expires: 2024-06-14] |
212 | 218 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62 |
213 | 219 uid [ unknown] nginx signing key <signing-key@nginx.com> |
214 <section name="Pre-Built Packages for Mainline version" id="mainline"> | 220 </programlisting> |
215 | 221 |
216 <para> | 222 To install nginx, run the following commands: |
217 To set up the yum repository for RHEL/CentOS, create the file named | 223 <programlisting> |
218 <path>/etc/yum.repos.d/nginx.repo</path> | 224 sudo apt update |
219 with the following contents: | 225 sudo apt install nginx |
220 | 226 </programlisting> |
221 <programlisting> | 227 </para> |
222 [nginx] | 228 |
223 name=nginx repo | 229 </section> |
224 baseurl=http://nginx.org/packages/mainline/OS/OSRELEASE/$basearch/ | 230 |
225 gpgcheck=0 | 231 |
226 enabled=1 | 232 <section name="Ubuntu" id="Ubuntu"> |
227 </programlisting> | 233 |
228 | 234 <para> |
229 Replace “<literal>OS</literal>” with “<literal>rhel</literal>” or | 235 Install the prerequisites: |
230 “<literal>centos</literal>”, | 236 <programlisting> |
231 depending on the distribution used, and “<literal>OSRELEASE</literal>” | 237 sudo apt install curl gnupg2 ca-certificates lsb-release |
232 with “<literal>6</literal>” or “<literal>7</literal>”, for 6.x or 7.x versions, | 238 </programlisting> |
233 respectively. | 239 |
234 </para> | 240 To set up the apt repository for stable nginx packages, |
235 | 241 run the following command: |
236 <para> | 242 <programlisting> |
237 For Debian/Ubuntu, in order to authenticate the nginx repository signature | 243 echo "deb http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \ |
238 and to eliminate warnings about missing PGP key during installation of the | 244 | sudo tee /etc/apt/sources.list.d/nginx.list |
239 nginx package, it is necessary to add the key used to sign the nginx | 245 </programlisting> |
240 packages and repository to the <command>apt</command> program keyring. | 246 |
241 Please download <link url="/keys/nginx_signing.key">this | 247 If you would like to use mainline nginx packages, |
242 key</link> from our web site, and add it to the <command>apt</command> | 248 run the following command instead: |
243 program keyring with the following command: | 249 <programlisting> |
244 <programlisting> | 250 echo "deb http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" \ |
245 sudo apt-key add nginx_signing.key | 251 | sudo tee /etc/apt/sources.list.d/nginx.list |
246 </programlisting> | 252 </programlisting> |
247 </para> | 253 |
248 | 254 Next, import an official nginx signing key so apt could verify the packages |
249 <para> | 255 authenticity: |
250 For Debian replace <i>codename</i> with Debian distribution | 256 <programlisting> |
251 <link id="distributions">codename</link>, and append the following to | 257 curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add - |
252 the end of the <path>/etc/apt/sources.list</path> file: | 258 </programlisting> |
253 | 259 |
254 <programlisting> | 260 Verify that you now have the proper key: |
255 deb http://nginx.org/packages/mainline/debian/ <i>codename</i> nginx | 261 <programlisting> |
256 deb-src http://nginx.org/packages/mainline/debian/ <i>codename</i> nginx | 262 sudo apt-key fingerprint ABF5BD827BD9BF62 |
257 </programlisting> | 263 </programlisting> |
258 </para> | 264 |
259 | 265 The output should contain the full fingerprint |
260 <para> | 266 <command>573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62</command> |
261 For Ubuntu replace <i>codename</i> with Ubuntu distribution | 267 as follows: |
262 <link id="distributions">codename</link>, and append the following to | 268 <programlisting> |
263 the end of the <path>/etc/apt/sources.list</path> file: | 269 pub rsa2048 2011-08-19 [SC] [expires: 2024-06-14] |
264 | 270 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62 |
265 <programlisting> | 271 uid [ unknown] nginx signing key <signing-key@nginx.com> |
266 deb http://nginx.org/packages/mainline/ubuntu/ <i>codename</i> nginx | 272 </programlisting> |
267 deb-src http://nginx.org/packages/mainline/ubuntu/ <i>codename</i> nginx | 273 |
268 </programlisting> | 274 To install nginx, run the following commands: |
269 </para> | 275 <programlisting> |
270 | 276 sudo apt update |
271 <para> | 277 sudo apt install nginx |
272 For Debian/Ubuntu then run the following commands: | 278 </programlisting> |
273 <programlisting> | 279 </para> |
274 apt-get update | 280 |
275 apt-get install nginx | 281 </section> |
276 </programlisting> | 282 |
277 </para> | 283 |
278 | 284 <section name="SLES" id="SLES"> |
279 <para> | 285 |
280 For SLES 12 run the following command: | 286 <para> |
281 <programlisting> | 287 Install the prerequisites: |
282 zypper addrepo -G -t yum -c 'http://nginx.org/packages/mainline/sles/12' nginx | 288 <programlisting> |
283 </programlisting> | 289 sudo zypper install curl ca-certificates gpg2 |
284 </para> | 290 </programlisting> |
285 | 291 |
286 <para> | 292 To set up the zypper repository for stable nginx packages, |
287 For SLES 15 run the following command: | 293 run the following command: |
288 <programlisting> | 294 <programlisting> |
289 zypper addrepo -G -t yum -c 'http://nginx.org/packages/mainline/sles/15' nginx | 295 sudo zypper addrepo --gpgcheck --type yum --refresh --check \ |
290 </programlisting> | 296 'http://nginx.org/packages/sles/$releasever' nginx-stable |
291 </para> | 297 </programlisting> |
298 | |
299 If you would like to use mainline nginx packages, | |
300 run the following command instead: | |
301 <programlisting> | |
302 sudo zypper addrepo --gpgcheck --type yum --refresh --check \ | |
303 'http://nginx.org/packages/mainline/sles/$releasever' nginx-mainline | |
304 </programlisting> | |
305 | |
306 Next, import an official nginx signing key so zypper/rpm could verify | |
307 the packages authenticity. | |
308 Fetch the key: | |
309 <programlisting> | |
310 curl -o /tmp/nginx_signing.key https://nginx.org/keys/nginx_signing.key | |
311 </programlisting> | |
312 | |
313 Verify that the downloaded file contains the proper key: | |
314 <programlisting> | |
315 gpg --with-fingerprint /tmp/nginx_signing.key | |
316 </programlisting> | |
317 | |
318 The output should contain the full fingerprint | |
319 <command>573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62</command> | |
320 as follows: | |
321 <programlisting> | |
322 pub 2048R/7BD9BF62 2011-08-19 [expires: 2024-06-14] | |
323 Key fingerprint = 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62 | |
324 uid nginx signing key <signing-key@nginx.com> | |
325 </programlisting> | |
326 | |
327 Finally, import the key to the rpm database: | |
328 <programlisting> | |
329 sudo rpmkeys --import /tmp/nginx_signing.key | |
330 </programlisting> | |
331 | |
332 To install nginx, run the following command: | |
333 <programlisting> | |
334 sudo zypper install nginx | |
335 </programlisting> | |
336 </para> | |
337 | |
338 </section> | |
292 | 339 |
293 </section> | 340 </section> |
294 | 341 |
295 | 342 |
296 <section name="Source Packages" id="sourcepackages"> | 343 <section name="Source Packages" id="sourcepackages"> |
337 | 384 |
338 </section> | 385 </section> |
339 | 386 |
340 | 387 |
341 <section name="Signatures" id="signatures"> | 388 <section name="Signatures" id="signatures"> |
342 | |
343 <para> | |
344 Both RPM packages and Debian/Ubuntu repositories use digital signatures | |
345 to verify the integrity and origin of the downloaded package. | |
346 In order to check a signature it is necessary to download | |
347 <link url="/keys/nginx_signing.key">nginx signing key</link> | |
348 and import it to the <command>rpm</command> or <command>apt</command> | |
349 program’s keyring: | |
350 | |
351 <list type="bullet"> | |
352 | |
353 <listitem> | |
354 On Debian/Ubuntu: | |
355 <programlisting>sudo apt-key add nginx_signing.key</programlisting> | |
356 </listitem> | |
357 | |
358 <listitem> | |
359 On RHEL/CentOS: | |
360 <programlisting>sudo rpm --import nginx_signing.key</programlisting> | |
361 </listitem> | |
362 | |
363 <listitem> | |
364 On SLES: | |
365 <programlisting>sudo rpm --import nginx_signing.key</programlisting> | |
366 </listitem> | |
367 | |
368 </list> | |
369 </para> | |
370 | |
371 <para> | |
372 On Debian/Ubuntu/SLES signatures are checked by default, but | |
373 on RHEL/CentOS it is necessary to set | |
374 <programlisting>gpgcheck=1</programlisting> in the | |
375 <path>/etc/yum.repos.d/nginx.repo</path> file. | |
376 </para> | |
377 | 389 |
378 <para> | 390 <para> |
379 Since our <link doc="../en/pgp_keys.xml">PGP keys</link> | 391 Since our <link doc="../en/pgp_keys.xml">PGP keys</link> |
380 and packages are located on the same server, | 392 and packages are located on the same server, |
381 they are equally trusted. | 393 they are equally trusted. |