This PR introduce a new command ncu-team check-gpg. This command will check the current releasers team members and the available information in the README.md and make some checks on the status of the individuals keys and if the keys/releasers are properly listed on the README.md
Currently checks included
If the Releaser is not included in the README.md
If the Releaser key listed in the README is not included in their profile
The Release key status:
Was revoked?
Has expiration date?
Is the email different from the README.md?
Can sign commits?
Potential additional checks
Is the key expired?
Is the key is available in hkps://keys.openpgp.org as expected?
Notes
This is currently under a draft version. They main objetive is to collect early feedback before creating the final PR (proper linting, tests, etc...)
This is my first time doing changes on NCU so I might be using wrongly the API or breaking any expected convention, please let me know 👍
What is this feature about?
While working on https://github.com/nodejs/Release/pull/966, @RafaelGSS suggested to extend the NCU to review the signatures.
This PR introduce a new command
ncu-team check-gpg. This command will check the current releasers team members and the available information in the README.md and make some checks on the status of the individuals keys and if the keys/releasers are properly listed on theREADME.mdCurrently checks included
README.mdPotential additional checks
hkps://keys.openpgp.orgas expected?Current output