Releases are signed using [PGP]. Checking the signature is a good practice for testing the origin and the integrity of the download. To check the signature requires the public key of the signer]. If you're even more paranoid and think that server might get hacked (smart person!) check the Primary key fingerprint: ( 4C2C 85E7 05DC 7308 3399 0C38 A937 6139 A524 C53E )
You can find all keys for nginx at http://nginx.org/en/pgp_keys.html
But well, this is a wiki and the public can edit such pages...the PGP way to decide which key to trust would be for the owner of the key to get it signed by some other well-trusted keys. (Suggestion to Igor)
Adding the key to apt on Debian based servers
- Download the key nginx_signing.key
- run as root (or sudo) apt-key add nginx_signing.key
- install nginx from nginx.org repository.