Closed sp3nx0r closed 1 year ago
Still an issue with v18.15.0, any update on when those keys will get added to support signature verification?
Hey, @sp3nx0r. Looking into this.
v18.15.0 signing key 4ED778F539E3634C779C87C6D7062848A1AB005C
(mine) seems to be present in the keyring:
$ wget https://nodejs.org/dist/v18.15.0/SHASUMS256.txt.sig
$ wget https://nodejs.org/dist/v18.15.0/SHASUMS256.txt
$ GNUPGHOME=~/release-keys/gpg gpg --verify SHASUMS256.txt.sig SHASUMS256.txt
gpg: Signature made Tue 7 Mar 20:01:57 2023 GMT
gpg: using RSA key 4ED778F539E3634C779C87C6D7062848A1AB005C
gpg: Good signature from "Beth Griggs <bgriggs@redhat.com>" [unknown]
gpg: aka "Beth Griggs <Bethany.Griggs@uk.ibm.com>" [unknown]
...
But, v19.5.0 signing key 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4
appears not:
$ wget https://nodejs.org/dist/v19.4.0/SHASUMS256.txt
$ wget https://nodejs.org/dist/v19.4.0/SHASUMS256.txt.sig
$ GNUPGHOME=~/release-keys/gpg gpg --verify SHASUMS256.txt.sig SHASUMS256.txt
gpg: Signature made Fri 6 Jan 13:15:00 2023 GMT
gpg: using RSA key 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4
gpg: Can't check signature: No public key
@RafaelGSS it looks like we missed adding your key 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4
to the keyring after #16 and #19.
@juanarbol's old key 61FC681DFB92A079F1685E77973F295594EC4689
is similarly not in the keyring.
I'd appreciate if anyone can confirm that the signature validation is working after https://github.com/nodejs/release-keys/pull/24 landed.
Can confirm this is now working as intended for 18, 19, 20 versions. Thanks for addressing
Noticed that NodeJS v18 and v19 fail when validating signatures using the public key keyring in this repo:
v18 is using RSA key 61FC681DFB92A079F1685E77973F295594EC4689
Could we get those keys added into this repo for signature verification? Thanks