Mercurial > hg > nginx-site
diff xml/en/linux_packages.xml @ 2322:bb03e6ac2f16
Added per-distro instructions on how to enable packages signature checks.
author | Konstantin Pavlov <thresh@videolan.org> |
---|---|
date | Wed, 30 Jan 2019 13:04:46 +0300 |
parents | 580c3007d242 |
children | eaef8f4ca921 |
line wrap: on
line diff
--- a/xml/en/linux_packages.xml Wed Jan 30 13:04:42 2019 +0300 +++ b/xml/en/linux_packages.xml Wed Jan 30 13:04:46 2019 +0300 @@ -7,7 +7,7 @@ <article name="nginx: Linux packages" link="/en/linux_packages.html" lang="en" - rev="30" + rev="31" toc="no"> <section id="distributions"> @@ -120,175 +120,222 @@ </para> <para> -To enable automatic updates of Linux packages -set up the yum repository for the RHEL/CentOS distributions, -the apt repository for the Debian/Ubuntu distributions, -or the zypper repository for SLES. +Before you install nginx for the first time on a new machine, you need to +set up the nginx packages repository. +Afterward, you can install and update nginx from the repository. </para> </section> -<section name="Pre-Built Packages for Stable version" id="stable"> +<section name="Installation instructions" id="instructions"> + +<section name="RHEL/CentOS" id="RHEL-CentOS"> <para> -To set up the yum repository for RHEL/CentOS, create the file named +Install the prerequisites: +<programlisting> +sudo yum install yum-utils +</programlisting> + +To set up the yum repository, create the file named <path>/etc/yum.repos.d/nginx.repo</path> with the following contents: <programlisting> -[nginx] -name=nginx repo -baseurl=http://nginx.org/packages/OS/OSRELEASE/$basearch/ -gpgcheck=0 +[nginx-stable] +name=nginx stable repo +baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ +gpgcheck=1 enabled=1 +gpgkey=https://nginx.org/keys/nginx_signing.key + +[nginx-mainline] +name=nginx mainline repo +baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/ +gpgcheck=1 +enabled=0 +gpgkey=https://nginx.org/keys/nginx_signing.key </programlisting> -Replace “<literal>OS</literal>” with “<literal>rhel</literal>” or -“<literal>centos</literal>”, -depending on the distribution used, and “<literal>OSRELEASE</literal>” -with “<literal>6</literal>” or “<literal>7</literal>”, for 6.x or 7.x versions, -respectively. +By default, the repository for stable nginx packages is used. +If you would like to use mainline nginx packages, run the following command: +<programlisting> +sudo yum-config-manager --enable nginx-mainline +</programlisting> + +To install nginx, run the following command: +<programlisting> +sudo yum install nginx +</programlisting> + +When prompted to accept the GPG key, verify that the fingerprint matches +<command>573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62</command>, +and if so, accept it. </para> -<para> -For Debian/Ubuntu, in order to authenticate the nginx repository signature -and to eliminate warnings about missing PGP key during installation of the -nginx package, it is necessary to add the key used to sign the nginx -packages and repository to the <command>apt</command> program keyring. -Please download <link url="/keys/nginx_signing.key">this -key</link> from our web site, and add it to the <command>apt</command> -program keyring with the following command: -<programlisting> -sudo apt-key add nginx_signing.key -</programlisting> -</para> +</section> + + +<section name="Debian" id="Debian"> <para> -For Debian replace <i>codename</i> with Debian distribution -<link id="distributions">codename</link>, and append the following to -the end of the <path>/etc/apt/sources.list</path> file: - +Install the prerequisites: <programlisting> -deb http://nginx.org/packages/debian/ <i>codename</i> nginx -deb-src http://nginx.org/packages/debian/ <i>codename</i> nginx +sudo apt install curl gnupg2 ca-certificates lsb-release </programlisting> -</para> -<para> -For Ubuntu replace <i>codename</i> with Ubuntu distribution -<link id="distributions">codename</link>, and append the following to -the end of the <path>/etc/apt/sources.list</path> file: +To set up the apt repository for stable nginx packages, +run the following command: +<programlisting> +echo "deb http://nginx.org/packages/debian `lsb_release -cs` nginx" \ + | sudo tee /etc/apt/sources.list.d/nginx.list +</programlisting> +If you would like to use mainline nginx packages, +run the following command instead: <programlisting> -deb http://nginx.org/packages/ubuntu/ <i>codename</i> nginx -deb-src http://nginx.org/packages/ubuntu/ <i>codename</i> nginx +echo "deb http://nginx.org/packages/mainline/debian `lsb_release -cs` nginx" \ + | sudo tee /etc/apt/sources.list.d/nginx.list </programlisting> -</para> -<para> -For Debian/Ubuntu then run the following commands: +Next, import an official nginx signing key so apt could verify the packages +authenticity: <programlisting> -apt-get update -apt-get install nginx +curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add - </programlisting> -</para> + +Verify that you now have the proper key: +<programlisting> +sudo apt-key fingerprint ABF5BD827BD9BF62 +</programlisting> -<para> -For SLES 12 run the following command: +The output should contain the full fingerprint +<command>573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62</command> +as follows: <programlisting> -zypper addrepo -G -t yum -c 'http://nginx.org/packages/sles/12' nginx +pub rsa2048 2011-08-19 [SC] [expires: 2024-06-14] + 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62 +uid [ unknown] nginx signing key <signing-key@nginx.com> </programlisting> -</para> -<para> -For SLES 15 run the following command: +To install nginx, run the following commands: <programlisting> -zypper addrepo -G -t yum -c 'http://nginx.org/packages/sles/15' nginx +sudo apt update +sudo apt install nginx </programlisting> </para> </section> -<section name="Pre-Built Packages for Mainline version" id="mainline"> +<section name="Ubuntu" id="Ubuntu"> <para> -To set up the yum repository for RHEL/CentOS, create the file named -<path>/etc/yum.repos.d/nginx.repo</path> -with the following contents: +Install the prerequisites: +<programlisting> +sudo apt install curl gnupg2 ca-certificates lsb-release +</programlisting> +To set up the apt repository for stable nginx packages, +run the following command: <programlisting> -[nginx] -name=nginx repo -baseurl=http://nginx.org/packages/mainline/OS/OSRELEASE/$basearch/ -gpgcheck=0 -enabled=1 +echo "deb http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \ + | sudo tee /etc/apt/sources.list.d/nginx.list +</programlisting> + +If you would like to use mainline nginx packages, +run the following command instead: +<programlisting> +echo "deb http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" \ + | sudo tee /etc/apt/sources.list.d/nginx.list </programlisting> -Replace “<literal>OS</literal>” with “<literal>rhel</literal>” or -“<literal>centos</literal>”, -depending on the distribution used, and “<literal>OSRELEASE</literal>” -with “<literal>6</literal>” or “<literal>7</literal>”, for 6.x or 7.x versions, -respectively. -</para> +Next, import an official nginx signing key so apt could verify the packages +authenticity: +<programlisting> +curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add - +</programlisting> + +Verify that you now have the proper key: +<programlisting> +sudo apt-key fingerprint ABF5BD827BD9BF62 +</programlisting> -<para> -For Debian/Ubuntu, in order to authenticate the nginx repository signature -and to eliminate warnings about missing PGP key during installation of the -nginx package, it is necessary to add the key used to sign the nginx -packages and repository to the <command>apt</command> program keyring. -Please download <link url="/keys/nginx_signing.key">this -key</link> from our web site, and add it to the <command>apt</command> -program keyring with the following command: +The output should contain the full fingerprint +<command>573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62</command> +as follows: <programlisting> -sudo apt-key add nginx_signing.key +pub rsa2048 2011-08-19 [SC] [expires: 2024-06-14] + 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62 +uid [ unknown] nginx signing key <signing-key@nginx.com> +</programlisting> + +To install nginx, run the following commands: +<programlisting> +sudo apt update +sudo apt install nginx </programlisting> </para> -<para> -For Debian replace <i>codename</i> with Debian distribution -<link id="distributions">codename</link>, and append the following to -the end of the <path>/etc/apt/sources.list</path> file: +</section> -<programlisting> -deb http://nginx.org/packages/mainline/debian/ <i>codename</i> nginx -deb-src http://nginx.org/packages/mainline/debian/ <i>codename</i> nginx -</programlisting> -</para> + +<section name="SLES" id="SLES"> <para> -For Ubuntu replace <i>codename</i> with Ubuntu distribution -<link id="distributions">codename</link>, and append the following to -the end of the <path>/etc/apt/sources.list</path> file: +Install the prerequisites: +<programlisting> +sudo zypper install curl ca-certificates gpg2 +</programlisting> + +To set up the zypper repository for stable nginx packages, +run the following command: +<programlisting> +sudo zypper addrepo --gpgcheck --type yum --refresh --check \ + 'http://nginx.org/packages/sles/$releasever' nginx-stable +</programlisting> + +If you would like to use mainline nginx packages, +run the following command instead: +<programlisting> +sudo zypper addrepo --gpgcheck --type yum --refresh --check \ + 'http://nginx.org/packages/mainline/sles/$releasever' nginx-mainline +</programlisting> +Next, import an official nginx signing key so zypper/rpm could verify +the packages authenticity. +Fetch the key: <programlisting> -deb http://nginx.org/packages/mainline/ubuntu/ <i>codename</i> nginx -deb-src http://nginx.org/packages/mainline/ubuntu/ <i>codename</i> nginx +curl -o /tmp/nginx_signing.key https://nginx.org/keys/nginx_signing.key +</programlisting> + +Verify that the downloaded file contains the proper key: +<programlisting> +gpg --with-fingerprint /tmp/nginx_signing.key +</programlisting> + +The output should contain the full fingerprint +<command>573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62</command> +as follows: +<programlisting> +pub 2048R/7BD9BF62 2011-08-19 [expires: 2024-06-14] + Key fingerprint = 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62 +uid nginx signing key <signing-key@nginx.com> +</programlisting> + +Finally, import the key to the rpm database: +<programlisting> +sudo rpmkeys --import /tmp/nginx_signing.key +</programlisting> + +To install nginx, run the following command: +<programlisting> +sudo zypper install nginx </programlisting> </para> -<para> -For Debian/Ubuntu then run the following commands: -<programlisting> -apt-get update -apt-get install nginx -</programlisting> -</para> - -<para> -For SLES 12 run the following command: -<programlisting> -zypper addrepo -G -t yum -c 'http://nginx.org/packages/mainline/sles/12' nginx -</programlisting> -</para> - -<para> -For SLES 15 run the following command: -<programlisting> -zypper addrepo -G -t yum -c 'http://nginx.org/packages/mainline/sles/15' nginx -</programlisting> -</para> +</section> </section> @@ -341,41 +388,6 @@ <section name="Signatures" id="signatures"> <para> -Both RPM packages and Debian/Ubuntu repositories use digital signatures -to verify the integrity and origin of the downloaded package. -In order to check a signature it is necessary to download -<link url="/keys/nginx_signing.key">nginx signing key</link> -and import it to the <command>rpm</command> or <command>apt</command> -program’s keyring: - -<list type="bullet"> - -<listitem> -On Debian/Ubuntu: -<programlisting>sudo apt-key add nginx_signing.key</programlisting> -</listitem> - -<listitem> -On RHEL/CentOS: -<programlisting>sudo rpm --import nginx_signing.key</programlisting> -</listitem> - -<listitem> -On SLES: -<programlisting>sudo rpm --import nginx_signing.key</programlisting> -</listitem> - -</list> -</para> - -<para> -On Debian/Ubuntu/SLES signatures are checked by default, but -on RHEL/CentOS it is necessary to set -<programlisting>gpgcheck=1</programlisting> in the -<path>/etc/yum.repos.d/nginx.repo</path> file. -</para> - -<para> Since our <link doc="../en/pgp_keys.xml">PGP keys</link> and packages are located on the same server, they are equally trusted.