Primary GPG keys for Node.js Releasers (some Releasers sign with subkeys):
C0D6248439F1D5604AAFFB4021D900FFDB233756
4ED778F539E3634C779C87C6D7062848A1AB005C
141F07595B7B3FFE74309A937405533BE57C7D57
94AE36675C464D64BAFA68DD7434390BDBE9B9C5
74F12602B6F1C4E913FAA37AD3A89613643B6201
71DCFD284A79C3B38668286BC97EC7A07EDE3FC1
8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600
C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8
890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4
C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C
DD8F2338BAE7501E3DD5AC78C273792F7D83545D
A48C2BEE680E841632CD4E44F07496B3EB3C1762
108F52B48DB57BB0CC439B2997B01419BD92F80A
B9E2F5981AA6E0CD28160D9FF13993A75599653C
CC68F5A3106FF448322E48ED27F5E38D5B0A215F
Other keys used to sign some previous releases:
1C050899334244A8AF75E53792EF661D867B9DFA
9554F04D7259F04124DE6B476D5A82AC7E37093B
B9AE9905FFD7803F25714661B63B535A4C206CA9
77984A986EBC2AA786BC0F66B01FBB92821C587A
93C7E9E91B49E432C2F75674B0A78B0A6C481CF6
56730D5401028683275BD23C23EFEFE93C4CFFFE
FD3A5288F042B6850C66B31F09FE44734EB7990E
114F43EE0176B71C7BC219DD50A3051F888C628D
7937DFD2AB06298B2293C3187D33FF9D0246406D
61FC681DFB92A079F1685E77973F295594EC4689
This repo contains the raw release signing keys in two forms:
The keys/ directory contains the raw ASCII-armored release signing keys listed above.
The gpg/ directory contains a GPG keyring preloaded with these release signing keys.
For additional verification of both the keys' content and of the list of authorized signing keys, you may cross-reference the list with nodejs.org and attempt to fetch keys from alternative sources (instead of or in addition to this repo).
First, clone this repo:
git clone https://github.com/nodejs/release-keys.git
Then, prefix your gpg
commands with the path to the cloned repo's gpg/ directory.
For example, if you cloned the repo to /path/to/nodejs-keys, then the gpg
command
to verify a release package will look something like this:
GNUPGHOME=/path/to/release-keys/gpg gpg --verify SHASUMS256.txt.sig SHASUMS256.txt
First, clone this repo:
git clone https://github.com/nodejs/release-keys.git
Then, import the release signing keys from this repo into your GPG keychain by invoking the cli.sh script in this repo. For example, immediately after cloning the repo above, the following command will import all release signing keys:
release-keys/cli.sh import