Mercurial > hg > nginx-site

diff xml/en/linux_packages.xml @ 932:774505846a54

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Section about packages' and repositories' signatures added.
author Sergey Budnevitch <sb@waeme.net>
date Tue, 18 Jun 2013 14:19:23 +0400
parents 893d36b6d013
children f297382b1d63
line wrap: on
line diff
--- a/xml/en/linux_packages.xml	Tue Jun 18 06:30:38 2013 +0000
+++ b/xml/en/linux_packages.xml	Tue Jun 18 14:19:23 2013 +0400
@@ -7,7 +7,7 @@
 <article name="nginx: Linux packages"
          link="/en/linux_packages.html"
          lang="en"
-         rev="2"
+         rev="3"
          toc="no">
 
 <section id="distributions">
@@ -273,4 +273,58 @@
 
 </section>
 
+
+<section name="Signatures" id="signatures">
+
+<para>
+Both RPM packages and Debian/Ubuntu repositories use digital signatures
+to verify the integrity and origin of the downloaded package.
+In order to check a signature it is necessary to download
+<link url="http://nginx.org/keys/nginx_signing.key">nginx signing key</link>
+and import it to the <command>rpm</command> or <command>apt</command>
+program’s keyring:
+
+<list type="bullet">
+
+<listitem>
+On Debian/Ubuntu:
+<programlisting>sudo apt-key add nginx_signing.key</programlisting>
+</listitem>
+
+<listitem>
+On RHEL/CentOS:
+<programlisting>sudo rpm --import nginx_signing.key</programlisting>
+</listitem>
+
+</list>
+</para>
+
+<para>
+On Debian/Ubuntu signatures are checked by default, but
+on RHEL/CentOS it is necessary to set
+<programlisting>gpgcheck=1</programlisting> in the
+<path>/etc/yum.repos.d/nginx.repo</path> file.
+</para>
+
+<para>
+Since our <link doc="../en/pgp_keys.xml">PGP keys</link>
+and packages are located on the same server,
+they are equally trusted.
+It is highly advised to additionally verify
+the authenticity of the downloaded PGP key.
+PGP has the “Web of Trust” concept,
+when a key is signed by someone else’s key,
+that in turn is signed by another key and so on.
+It often makes possible to build a chain from an arbitrary key
+to someone’s key who you know and trust personally,
+thus verify the authenticity of the first key in a chain.
+This concept is described in details in
+<link url="http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto-1.html">
+GPG Mini Howto</link>.
+Our keys have enough signatures,
+and their authenticity is relatively easy to check.
+</para>
+
+</section>
+
 </article>