• Version: n/a
• Platform: n/a
• Subsystem: n/a

The readme states:

You can then use gpg --verify SHASUMS256.txt.asc to verify that the file has been signed by an authorized member of the Node.js team.

However, this operation will only verify that the file was armored by some previously trusted gpg public key. Any user that trusts more than just the node publishing keys may be vulnerable to packages published by non-nodejs team members.

This process should use --no-default-keyring and a keyring/key file fit for purpose, along with --verify