diff --git a/README.md b/README.md index 375de75dd97540..6f73864b038df5 100644 --- a/README.md +++ b/README.md @@ -95,37 +95,27 @@ _docs_ subdirectory. Version-specific documentation is also at ### Verifying binaries -Download directories contain a `SHASUMS256.txt` file with SHA checksums for the -files. +Download directories contain a `SHASUMS256.txt.asc` file with SHA checksums for the +files and the releaser PGP signature. -To download `SHASUMS256.txt` using `curl`: +You can get a trusted keyring from nodejs/release-keys, e.g. using `curl`: ```bash -curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt +curl -fsLo "/path/to/nodejs-keyring.kbx" "https://github.com/nodejs/release-keys/raw/HEAD/gpg/pubring.kbx" ``` -To check that downloaded files match the checksum, use `sha256sum`: +Alternatively, you can import the releaser keys in your default keyring, see +[Release keys](#release-keys) for commands to how to do that. -```bash -sha256sum -c SHASUMS256.txt --ignore-missing -``` - -For Current and LTS, the GPG detached signature of `SHASUMS256.txt` is in -`SHASUMS256.txt.sig`. You can use it with `gpg` to verify the integrity of -`SHASUMS256.txt`. You will first need to import -[the GPG keys of individuals authorized to create releases](#release-keys). - -See [Release keys](#release-keys) for commands to import active release keys. - -Next, download the `SHASUMS256.txt.sig` for the release: +Then, you can verify the files you've downloaded locally +(if you're using your default keyring, pass `--keyring="${GNUPGHOME:-~/.gnupg}/pubring.kbx"`): ```bash -curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt.sig +curl -fsO "https://nodejs.org/dist/${VERSION}/SHASUMS256.txt.asc" \ +&& gpgv --keyring="/path/to/nodejs-keyring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ +&& shasum --check SHASUMS256.txt --ignore-missing ``` -Then use `gpg --verify SHASUMS256.txt.sig SHASUMS256.txt` to verify -the file's signature. - ## Building Node.js See [BUILDING.md](BUILDING.md) for instructions on how to build Node.js from @@ -806,8 +796,11 @@ Primary GPG keys for Node.js Releasers (some Releasers sign with subkeys): * **Ulises Gascón** <> `A363A499291CBBC940DD62E41F10027AF002F8B0` -To import the full set of trusted release keys (including subkeys possibly used -to sign releases): +You can use the keyring the project maintains at +. +Alternatively, you can import them from a public key server. Have in mind that +the project cannot guarantee the availability of the server nor the keys on +that server. ```bash gpg --keyserver hkps://keys.openpgp.org --recv-keys 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 # Antoine du Hamel @@ -867,6 +860,9 @@ verify a downloaded file. * **Timothy J Fontaine** <> `7937DFD2AB06298B2293C3187D33FF9D0246406D` +The project maintains a keyring able to verify all past releases of Node.js at +. + ### Security release stewards