archive/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2025-08-15 05:38:47 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

doc: update the instruction on how to verify releases

Browse source 
PR-URL: https://github.com/nodejs/node/pull/59113
Fixes: https://github.com/nodejs/node/issues/58904
Reviewed-By: Richard Lau <richard.lau@ibm.com>
Reviewed-By: Ruy Adorno <ruy@vlt.sh>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
This commit is contained in:
Antoine du Hamel 2025-07-27 23:48:24 +02:00 committed by GitHub
parent cd1a90d1ee
commit 405ad4e8fb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 20 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

44
README.md
View file

@ -95,37 +95,27 @@ _docs_ subdirectory. Version-specific documentation is also at
### Verifying binaries
Download directories contain a `SHASUMS256.txt` file with SHA checksums for the
files.
Download directories contain a `SHASUMS256.txt.asc` file with SHA checksums for the
files and the releaser PGP signature.
To download `SHASUMS256.txt` using `curl`:
You can get a trusted keyring from nodejs/release-keys, e.g. using `curl`:
```bash
curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt
curl -fsLo "/path/to/nodejs-keyring.kbx" "https://github.com/nodejs/release-keys/raw/HEAD/gpg/pubring.kbx"
```
To check that downloaded files match the checksum, use `sha256sum`:
Alternatively, you can import the releaser keys in your default keyring, see
[Release keys](#release-keys) for commands to how to do that.
Then, you can verify the files you've downloaded locally
(if you're using your default keyring, pass `--keyring="${GNUPGHOME:-~/.gnupg}/pubring.kbx"`):
```bash
sha256sum -c SHASUMS256.txt --ignore-missing
curl -fsO "https://nodejs.org/dist/${VERSION}/SHASUMS256.txt.asc" \
&& gpgv --keyring="/path/to/nodejs-keyring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \
&& shasum --check SHASUMS256.txt --ignore-missing
```
For Current and LTS, the GPG detached signature of `SHASUMS256.txt` is in
`SHASUMS256.txt.sig`. You can use it with `gpg` to verify the integrity of
`SHASUMS256.txt`. You will first need to import
[the GPG keys of individuals authorized to create releases](#release-keys).
See [Release keys](#release-keys) for commands to import active release keys.
Next, download the `SHASUMS256.txt.sig` for the release:
```bash
curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt.sig
```
Then use `gpg --verify SHASUMS256.txt.sig SHASUMS256.txt` to verify
the file's signature.
## Building Node.js
See [BUILDING.md](BUILDING.md) for instructions on how to build Node.js from
@ -808,8 +798,11 @@ Primary GPG keys for Node.js Releasers (some Releasers sign with subkeys):
* **Ulises Gascón** <<ulisesgascongonzalez@gmail.com>>
`A363A499291CBBC940DD62E41F10027AF002F8B0`
To import the full set of trusted release keys (including subkeys possibly used
to sign releases):
You can use the keyring the project maintains at
<https://github.com/nodejs/release-keys/raw/refs/heads/main/gpg-only-active-keys/pubring.kbx>.
Alternatively, you can import them from a public key server. Have in mind that
the project cannot guarantee the availability of the server nor the keys on
that server.
```bash
gpg --keyserver hkps://keys.openpgp.org --recv-keys 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 # Antoine du Hamel
@ -869,6 +862,9 @@ verify a downloaded file.
* **Timothy J Fontaine** <<tjfontaine@gmail.com>>
`7937DFD2AB06298B2293C3187D33FF9D0246406D`
The project maintains a keyring able to verify all past releases of Node.js at
<https://github.com/nodejs/release-keys/raw/refs/heads/main/gpg/pubring.kbx>.
</details>
### Security release stewards