From 49d0a1e285a4e6b0b05f97cb8502d60a6fbc512b Mon Sep 17 00:00:00 2001
From: Antoine du Hamel <duhamelantoine1995@gmail.com>
Date: Fri, 18 Jul 2025 18:46:53 +0200
Subject: [PATCH 1/3] doc: update the instruction on how to verify releases

---
 README.md | 45 ++++++++++++++++++++++-----------------------
 1 file changed, 22 insertions(+), 23 deletions(-)

diff --git a/README.md b/README.md
index 375de75dd97540..605204c7d85b36 100644
--- a/README.md
+++ b/README.md
@@ -95,36 +95,29 @@ _docs_ subdirectory. Version-specific documentation is also at
 
 ### Verifying binaries
 
-Download directories contain a `SHASUMS256.txt` file with SHA checksums for the
-files.
+Download directories contain a `SHASUMS256.txt.asc` file with SHA checksums for the
+files and the releaser PGP signature.
 
-To download `SHASUMS256.txt` using `curl`:
+You can get a trusted keyring from nodejs/release-keys, e.g. using `curl`:
 
 ```bash
-curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt
+curl -fsLo "/path/to/nodejs-keyring.kbx" "https://github.com/nodejs/release-keys/raw/HEAD/gpg/pubring.kbx"
 ```
 
-To check that downloaded files match the checksum, use `sha256sum`:
+Alternatively, you can import the releaser keys in your default keyring, see
+[Release keys](#release-keys) for commands to how to do that.
 
-```bash
-sha256sum -c SHASUMS256.txt --ignore-missing
-```
-
-For Current and LTS, the GPG detached signature of `SHASUMS256.txt` is in
-`SHASUMS256.txt.sig`. You can use it with `gpg` to verify the integrity of
-`SHASUMS256.txt`. You will first need to import
-[the GPG keys of individuals authorized to create releases](#release-keys).
-
-See [Release keys](#release-keys) for commands to import active release keys.
-
-Next, download the `SHASUMS256.txt.sig` for the release:
+Then, you can verify the files you've downloaded locally
+(if you're using your default keyring, do not pass `--keyring`):
 
 ```bash
-curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt.sig
-```
+set -e
+set -o pipefail
 
-Then use `gpg --verify SHASUMS256.txt.sig SHASUMS256.txt` to verify
-the file's signature.
+curl -fs "https://nodejs.org/dist/${VERSION}/SHASUMS256.txt.asc" \
+| gpgv --keyring="/path/to/nodejs-keyring.kbx" --output - \
+| shasum --check --ignore-missing
+```
 
 ## Building Node.js
 
@@ -806,8 +799,11 @@ Primary GPG keys for Node.js Releasers (some Releasers sign with subkeys):
 * **Ulises Gascón** <<ulisesgascongonzalez@gmail.com>>
   `A363A499291CBBC940DD62E41F10027AF002F8B0`
 
-To import the full set of trusted release keys (including subkeys possibly used
-to sign releases):
+You can use the keyring the project maintains at
+<https://github.com/nodejs/release-keys/raw/refs/heads/main/gpg-only-active-keys/pubring.kbx>.
+Alternatively, you can import them from a public key server, have in mind that
+the project cannot guarantee the disponibility of the server nor the keys on
+that server.
 
 ```bash
 gpg --keyserver hkps://keys.openpgp.org --recv-keys 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 # Antoine du Hamel
@@ -867,6 +863,9 @@ verify a downloaded file.
 * **Timothy J Fontaine** <<tjfontaine@gmail.com>>
   `7937DFD2AB06298B2293C3187D33FF9D0246406D`
 
+The project maintains a keyring able to verify all past releases of Node.js at
+<https://github.com/nodejs/release-keys/raw/refs/heads/main/gpg/pubring.kbx>.
+
 </details>
 
 ### Security release stewards

From 5609491b0f22717286af3e032e56c227e233bf3b Mon Sep 17 00:00:00 2001
From: Antoine du Hamel <duhamelantoine1995@gmail.com>
Date: Sat, 19 Jul 2025 15:18:46 +0200
Subject: [PATCH 2/3] Update README.md

Co-authored-by: Mike McCready <66998419+MikeMcC399@users.noreply.github.com>
---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 605204c7d85b36..bcbd9049feb9f7 100644
--- a/README.md
+++ b/README.md
@@ -801,8 +801,8 @@ Primary GPG keys for Node.js Releasers (some Releasers sign with subkeys):
 
 You can use the keyring the project maintains at
 <https://github.com/nodejs/release-keys/raw/refs/heads/main/gpg-only-active-keys/pubring.kbx>.
-Alternatively, you can import them from a public key server, have in mind that
-the project cannot guarantee the disponibility of the server nor the keys on
+Alternatively, you can import them from a public key server. Have in mind that
+the project cannot guarantee the availability of the server nor the keys on
 that server.
 
 ```bash

From 292089fcaf61a4c114c5a62d7bb198a054112c04 Mon Sep 17 00:00:00 2001
From: Antoine du Hamel <duhamelantoine1995@gmail.com>
Date: Sat, 19 Jul 2025 15:49:56 +0200
Subject: [PATCH 3/3] Apply suggestions from code review

---
 README.md | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index bcbd9049feb9f7..6f73864b038df5 100644
--- a/README.md
+++ b/README.md
@@ -108,15 +108,12 @@ Alternatively, you can import the releaser keys in your default keyring, see
 [Release keys](#release-keys) for commands to how to do that.
 
 Then, you can verify the files you've downloaded locally
-(if you're using your default keyring, do not pass `--keyring`):
+(if you're using your default keyring, pass `--keyring="${GNUPGHOME:-~/.gnupg}/pubring.kbx"`):
 
 ```bash
-set -e
-set -o pipefail
-
-curl -fs "https://nodejs.org/dist/${VERSION}/SHASUMS256.txt.asc" \
-| gpgv --keyring="/path/to/nodejs-keyring.kbx" --output - \
-| shasum --check --ignore-missing
+curl -fsO "https://nodejs.org/dist/${VERSION}/SHASUMS256.txt.asc" \
+&& gpgv --keyring="/path/to/nodejs-keyring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \
+&& shasum --check SHASUMS256.txt --ignore-missing
 ```
 
 ## Building Node.js