Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 988eec3

Browse filesBrowse files
maclover7MylesBorins
maclover7
authored and
MylesBorins
committed
doc: update README with SHASUMS256.txt.sig info
It is more secure to verify SHASUMS256.txt files via SHASUMS256.txt.sig than SHASUMS256.txt.asc. This comment does the best job at explaining the issue: #6821 (comment) Refer: #6821 Refer: #9071 PR-URL: #15107 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James Snell <jasnell@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
1 parent 0b2d548 commit 988eec3
Copy full SHA for 988eec3

File tree

Expand file treeCollapse file tree

1 file changed

+15
-8
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

1 file changed

+15
-8
lines changed
Open diff view settings
Collapse file

‎README.md‎

Copy file name to clipboardExpand all lines: README.md
+15-8Lines changed: 15 additions & 8 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -134,12 +134,12 @@ $ grep node-vx.y.z.tar.gz SHASUMS256.txt | sha256sum -c -
134134
_(Where "node-vx.y.z.tar.gz" is the name of the file you have
135135
downloaded)_
136136

137-
Additionally, Current and LTS releases (not Nightlies) have GPG signed
138-
copies of SHASUMS256.txt files available as SHASUMS256.txt.asc. You can use
139-
`gpg` to verify that the file has not been tampered with.
137+
Additionally, Current and LTS releases (not Nightlies) have the GPG
138+
detached signature of SHASUMS256.txt available as SHASUMS256.txt.sig.
139+
You can use `gpg` to verify that SHASUMS256.txt has not been tampered with.
140140

141-
To verify a SHASUMS256.txt.asc, you will first need to import all of
142-
the GPG keys of individuals authorized to create releases. They are
141+
To verify SHASUMS256.txt has not been altered, you will first need to import
142+
all of the GPG keys of individuals authorized to create releases. They are
143143
listed at the bottom of this README under [Release Team](#release-team).
144144
Use a command such as this to import the keys:
145145

@@ -150,10 +150,17 @@ $ gpg --keyserver pool.sks-keyservers.net --recv-keys DD8F2338BAE7501E3DD5AC78C2
150150
_(See the bottom of this README for a full script to import active
151151
release keys)_
152152

153-
You can then use `gpg --verify SHASUMS256.txt.asc` to verify that the
154-
file has been signed by an authorized member of the Node.js team.
153+
Next, download the SHASUMS256.txt.sig for the release:
155154

156-
Once verified, use the SHASUMS256.txt.asc file to get the checksum for
155+
```console
156+
$ curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt.sig
157+
```
158+
159+
After downloading the appropriate SHASUMS256.txt and SHASUMS256.txt.sig files,
160+
you can then use `gpg --verify SHASUMS256.txt.sig SHASUMS256.txt` to verify
161+
that the file has been signed by an authorized member of the Node.js team.
162+
163+
Once verified, use the SHASUMS256.txt file to get the checksum for
157164
the binary verification command above.
158165

159166
## Building Node.js

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.