nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

GPG key id 251A28DE2685AED from the installation guide isn't valid #490

Closed jsdream closed 4 years ago

jsdream commented 4 years ago

I'm following the installation guide (https://github.com/nbs-system/naxsi/wiki/naxsi-compile) and stuck at verifying the signature. gpg --recv-key 251A28DE2685AED gives me gpg: "251A28DE2685AED" not a key ID: skipping

Is the key ID wrong or it's me doing something wrong?

wargio commented 4 years ago

for some reason that key is not available anymore on the keyserver. i'll try tomorrow to find which key that is linked to and re-upload the pubkey

jsdream commented 4 years ago

@wargio Thank you for your quick reply. Looking forward to it.

wargio commented 4 years ago

the issue is that was missing a 4 at the end, so it wasn't a HEX number. i've updated the wiki. the key that you have to fetch is 251A28DE2685AED4 so just gpg --recv-key 251A28DE2685AED4 and should work

jsdream commented 4 years ago

Thanks @wargio. Now the key is being fetched, but I'm getting another error when trying to verify:

gpg: Total number processed: 1
gpg:           w/o user IDs: 1
gpg: assuming signed data in 'naxsi-0.56.tar.gz'
gpg: Signature made Wed Jun 27 10:38:00 2018 UTC
gpg:                using RSA key 5FA35473CA73872AA9731F5C251A28DE2685AED4
gpg:                issuer "tko@nbs-system.com"
gpg: Can't check signature: No public key
wargio commented 4 years ago

Thanks @wargio. Now the key is being fetched, but I'm getting another error when trying to verify:

gpg: Total number processed: 1
gpg:           w/o user IDs: 1
gpg: assuming signed data in 'naxsi-0.56.tar.gz'
gpg: Signature made Wed Jun 27 10:38:00 2018 UTC
gpg:                using RSA key 5FA35473CA73872AA9731F5C251A28DE2685AED4
gpg:                issuer "tko@nbs-system.com"
gpg: Can't check signature: No public key

i think something went wrong when fetching the key or when you trust it.

this is what it should look like:

$ gpg --recv-key 251A28DE2685AED4
gpg: enabled debug flags: memstat
gpg: key 251A28DE2685AED4: public key "Naxsi Project (Key Used To Sign Code) <tko@nbs-system.com>" imported

$ gpg --verify naxsi-0.56.zip.asc 
gpg: enabled debug flags: memstat
gpg: assuming signed data in 'naxsi-0.56.zip'
gpg: Signature made Wed 27 Jun 2018 12:38:13 PM CEST
gpg:                using RSA key 5FA35473CA73872AA9731F5C251A28DE2685AED4
gpg:                issuer "tko@nbs-system.com"
gpg: Good signature from "Naxsi Project (Key Used To Sign Code) <tko@nbs-system.com>" [full]
jsdream commented 4 years ago

@wargio The issue was my end. I'm running this inside Docker container based on Nginx official image and looks like it was fetching the key from a wrong keyserver. Adding --keyserver keyserver.ubuntu.com fixed the problem.

wargio commented 4 years ago

ok. i'm closing the issue then, since it's solved. :)