doc: update the instruction on how to verify releases · nodejs/node@927742b
@@ -95,37 +95,27 @@ _docs_ subdirectory. Version-specific documentation is also at
95959696### Verifying binaries
979798-Download directories contain a `SHASUMS256.txt` file with SHA checksums for the
99-files.
98+Download directories contain a `SHASUMS256.txt.asc` file with SHA checksums for the
99+files and the releaser PGP signature.
100100101-To download `SHASUMS256.txt` using `curl`:
101+You can get a trusted keyring from nodejs/release-keys, e.g. using `curl`:
102102103103```bash
104-curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt
104+curl -fsLo "/path/to/nodejs-keyring.kbx" "https://github.com/nodejs/release-keys/raw/HEAD/gpg/pubring.kbx"
105105```
106106107-To check that downloaded files match the checksum, use `sha256sum`:
107+Alternatively, you can import the releaser keys in your default keyring, see
108+[Release keys](#release-keys) for commands to how to do that.
108109109-```bash
110-sha256sum -c SHASUMS256.txt --ignore-missing
111-```
112-113-For Current and LTS, the GPG detached signature of `SHASUMS256.txt` is in
114-`SHASUMS256.txt.sig`. You can use it with `gpg` to verify the integrity of
115-`SHASUMS256.txt`. You will first need to import
116-[the GPG keys of individuals authorized to create releases](#release-keys).
117-118-See [Release keys](#release-keys) for commands to import active release keys.
119-120-Next, download the `SHASUMS256.txt.sig` for the release:
110+Then, you can verify the files you've downloaded locally
111+(if you're using your default keyring, pass `--keyring="${GNUPGHOME:-~/.gnupg}/pubring.kbx"`):
121112122113```bash
123-curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt.sig
114+curl -fsO "https://nodejs.org/dist/${VERSION}/SHASUMS256.txt.asc" \
115+&& gpgv --keyring="/path/to/nodejs-keyring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \
116+&& shasum --check SHASUMS256.txt --ignore-missing
124117```
125118126-Then use `gpg --verify SHASUMS256.txt.sig SHASUMS256.txt` to verify
127-the file's signature.
128-129119## Building Node.js
130120131121See [BUILDING.md](BUILDING.md) for instructions on how to build Node.js from
@@ -808,8 +798,11 @@ Primary GPG keys for Node.js Releasers (some Releasers sign with subkeys):
808798* **Ulises Gascón** <<ulisesgascongonzalez@gmail.com>>
809799`A363A499291CBBC940DD62E41F10027AF002F8B0`
810800811-To import the full set of trusted release keys (including subkeys possibly used
812-to sign releases):
801+You can use the keyring the project maintains at
802+<https://github.com/nodejs/release-keys/raw/refs/heads/main/gpg-only-active-keys/pubring.kbx>.
803+Alternatively, you can import them from a public key server. Have in mind that
804+the project cannot guarantee the availability of the server nor the keys on
805+that server.
813806814807```bash
815808gpg --keyserver hkps://keys.openpgp.org --recv-keys 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 # Antoine du Hamel
@@ -869,6 +862,9 @@ verify a downloaded file.
869862* **Timothy J Fontaine** <<tjfontaine@gmail.com>>
870863`7937DFD2AB06298B2293C3187D33FF9D0246406D`
871864865+The project maintains a keyring able to verify all past releases of Node.js at
866+<https://github.com/nodejs/release-keys/raw/refs/heads/main/gpg/pubring.kbx>.
867+872868</details>
873869874870### Security release stewards