@@ -95,37 +95,27 @@ _docs_ subdirectory. Version-specific documentation is also at
9595
9696### Verifying binaries
9797
98- Download directories contain a ` SHASUMS256.txt ` file with SHA checksums for the
99- files.
98+ Download directories contain a ` SHASUMS256.txt.asc ` file with SHA checksums for the
99+ files and the releaser PGP signature .
100100
101- To download ` SHASUMS256.txt ` using ` curl ` :
101+ You can get a trusted keyring from nodejs/release-keys, e.g. using ` curl ` :
102102
103103``` bash
104- curl -O https:// nodejs.org/dist/vx.y.z/SHASUMS256.txt
104+ curl -fsLo " /path/to/ nodejs-keyring.kbx " " https://github.com/nodejs/release-keys/raw/HEAD/gpg/pubring.kbx "
105105```
106106
107- To check that downloaded files match the checksum, use ` sha256sum ` :
107+ Alternatively, you can import the releaser keys in your default keyring, see
108+ [ Release keys] ( #release-keys ) for commands to how to do that.
108109
109- ``` bash
110- sha256sum -c SHASUMS256.txt --ignore-missing
111- ```
112-
113- For Current and LTS, the GPG detached signature of ` SHASUMS256.txt ` is in
114- ` SHASUMS256.txt.sig ` . You can use it with ` gpg ` to verify the integrity of
115- ` SHASUMS256.txt ` . You will first need to import
116- [ the GPG keys of individuals authorized to create releases] ( #release-keys ) .
117-
118- See [ Release keys] ( #release-keys ) for commands to import active release keys.
119-
120- Next, download the ` SHASUMS256.txt.sig ` for the release:
110+ Then, you can verify the files you've downloaded locally
111+ (if you're using your default keyring, pass ` --keyring="${GNUPGHOME:-~/.gnupg}/pubring.kbx" ` ):
121112
122113``` bash
123- curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt.sig
114+ curl -fsO " https://nodejs.org/dist/${VERSION} /SHASUMS256.txt.asc"
115+ && gpgv --keyring=" /path/to/nodejs-keyring.kbx" < SHASUMS256.txt.asc \
116+ && shasum --check SHASUMS256.txt --ignore-missing
124117```
125118
126- Then use ` gpg --verify SHASUMS256.txt.sig SHASUMS256.txt ` to verify
127- the file's signature.
128-
129119## Building Node.js
130120
131121See [ BUILDING.md] ( BUILDING.md ) for instructions on how to build Node.js from
@@ -802,8 +792,11 @@ Primary GPG keys for Node.js Releasers (some Releasers sign with subkeys):
802792* ** Ulises Gascón** << ulisesgascongonzalez@gmail.com > >
803793 ` A363A499291CBBC940DD62E41F10027AF002F8B0 `
804794
805- To import the full set of trusted release keys (including subkeys possibly used
806- to sign releases):
795+ You can use the keyring the project maintains at
796+ < https://github.com/nodejs/release-keys/raw/refs/heads/main/gpg-only-active-keys/pubring.kbx > .
797+ Alternatively, you can import them from a public key server. Have in mind that
798+ the project cannot guarantee the availability of the server nor the keys on
799+ that server.
807800
808801``` bash
809802gpg --keyserver hkps://keys.openpgp.org --recv-keys 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 # Antoine du Hamel
@@ -863,6 +856,9 @@ verify a downloaded file.
863856* ** Timothy J Fontaine** << tjfontaine@gmail.com > >
864857 ` 7937DFD2AB06298B2293C3187D33FF9D0246406D `
865858
859+ The project maintains a keyring able to verify all past releases of Node.js at
860+ < https://github.com/nodejs/release-keys/raw/refs/heads/main/gpg/pubring.kbx > .
861+
866862</details >
867863
868864### Security release stewards
0 commit comments