Better user experience around verifying downloads

[misterdjules]

Although users can verify digital signatures and now downloads use HTTPS by default, I think it would be great to give a better user experience around verifying downloads.

Having downloads use HTTPS is fine to make sure that users are downloading files from the correct source, but it doesn't ensure that they're installing software that hasn't been tampered with.

For that, they need to verify digital signatures. I imagine that a lot of users who care about that already know how to verify these signatures, but it's still a very manual process and the UX could be much better.

Also, when users run into downloading software that seems to be different than the one that was released, we could use this better UX to troubleshoot these issues.

Having some clear documentation easily available on the website would be a start to improve the user experience about verifying downloads.

/cc @nodejs/website

[bnb]

+1. Is this a website thing, though? I know nothing about verifying digital signatures, but I always thought this was on the client (desktop) side. Is this not the case?

[misterdjules]

@bnb The first step (better documenting the process of verifying signatures) would need to be linked from the website, or directly available from it. In this sense it seems to be a website thing.

The second (more long term) step, thinking about a process that Node.js users can use to verify downloads easily seems to definitely span more than one repository, thank you for bringing that up :+1:

I'll fix the original description of this issue to include only the documentation part, do you think that would belong to the website repository?

[bnb]

Yes, I think the display of that information is a Website WG thing - but it might be a @nodejs/documentation thing. It depends on if you want to provide this information when the user downloads the package, or if you want to provide it in the documentation. I don't know which would be better.

[misterdjules]

@bnb Providing it when the user downloads files/binaries/packages is necessary in my opinion, because that might be the best opportunity we have to deliver this message. Of course adding it to the documentation wouldn't hurt too.

[danielkhan]

Will add this to the install docs. https://github.com/nodejs/docs/issues/7

[bnb]

@danielkhan Thank you. It would be nice to keep in sync when content is shared between working groups like this, so we will base our wording off of yours for the sake of consistency.