Skip to content

doc: update the instruction on how to verify releases #59113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

doc: update the instruction on how to verify releases #59113

wants to merge 3 commits into from
+19 −23

Conversation

aduh95
Copy link
Contributor

@aduh95 aduh95 commented Jul 18, 2025

Fixes: #58904

Currently, the only documented way relies on third-party server, albeit a well-trusted one, but one that the project doesn't control, and one that's not very convenient to use for consumers. Instead, let's document nodejs/release-keys as the trusted source of truth when it comes to verifying Node.js releases.
I'm keeping the instructions on how to download the keys from key.openPGP.org as some tools out there might be scraping our README looking for that, and it's still a valid way to get the release keys, simply not the preferred one.

@nodejs-github-bot nodejs-github-bot added the doc Issues and PRs related to the documentations. label Jul 18, 2025
@aduh95 aduh95 mentioned this pull request Jul 18, 2025
Open
@aduh95
Copy link
Contributor Author

aduh95 commented Jul 18, 2025

/cc @nodejs/tsc @nodejs/releasers

MikeMcC399
MikeMcC399 reviewed Jul 19, 2025
View reviewed changes
This was referenced Jul 19, 2025
Open
Open
MikeMcC399
MikeMcC399 reviewed Jul 19, 2025
View reviewed changes
MikeMcC399
MikeMcC399 reviewed Jul 19, 2025
View reviewed changes
MikeMcC399
MikeMcC399 reviewed Jul 19, 2025
View reviewed changes
README.md
Comment on lines +107 to +108
Alternatively, you can import the releaser keys in your default keyring, see
[Release keys](#release-keys) for commands to how to do that.
Copy link

@MikeMcC399 MikeMcC399 Jul 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The release keys section only contains commands to import individual keys from the gpg-only-active-keys set, so it is not a substitute for importing from /gpg/pubring.kbx. There are no commands listed for keys in the section "Other keys used to sign some previous releases".

Maybe say here something like "you can import only the primary PGP releaser keys ..."

@aduh95 @MikeMcC399
Update README.md
5609491 
Co-authored-by: Mike McCready <[email protected]>
aduh95
aduh95 commented Jul 19, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MikeMcC399 MikeMcC399 MikeMcC399 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
doc Issues and PRs related to the documentations.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Can no longer validate signatures on NodeJS binaries due to needing approval on keyserver
3 participants
@aduh95 @MikeMcC399 @nodejs-github-bot