lukechilds
/
node
mirror of https://github.com/lukechilds/node.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

doc: update README with SHASUMS256.txt.sig info 

It is more secure to verify SHASUMS256.txt files via SHASUMS256.txt.sig
than SHASUMS256.txt.asc.

This comment does the best job at explaining the issue:
  https://github.com/nodejs/node/issues/6821#issuecomment-220033176

Refer: https://github.com/nodejs/node/issues/6821
Refer: https://github.com/nodejs/node/issues/9071
PR-URL: https://github.com/nodejs/node/pull/15107
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
v6.x-staging
Jon Moss 7 years ago
committed by Myles Borins
parent
bf130072a8
commit
d2ef71ae47
No known key found for this signature in database GPG Key ID: 933B01F40B5CA946
1 changed files with 15 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 23
      README.md

23
README.md
View File

@ -134,12 +134,12 @@ $ grep node-vx.y.z.tar.gz SHASUMS256.txt | sha256sum -c -
_(Where "node-vx.y.z.tar.gz" is the name of the file you have _(Where "node-vx.y.z.tar.gz" is the name of the file you have
downloaded)_ downloaded)_
Additionally, Current and LTS releases (not Nightlies) have GPG signed Additionally, Current and LTS releases (not Nightlies) have the GPG
copies of SHASUMS256.txt files available as SHASUMS256.txt.asc. You can use detached signature of SHASUMS256.txt available as SHASUMS256.txt.sig.
`gpg` to verify that the file has not been tampered with. You can use `gpg` to verify that SHASUMS256.txt has not been tampered with.
To verify a SHASUMS256.txt.asc, you will first need to import all of To verify SHASUMS256.txt has not been altered, you will first need to import
the GPG keys of individuals authorized to create releases. They are all of the GPG keys of individuals authorized to create releases. They are
listed at the bottom of this README under [Release Team](#release-team). listed at the bottom of this README under [Release Team](#release-team).
Use a command such as this to import the keys: Use a command such as this to import the keys:
@ -150,10 +150,17 @@ $ gpg --keyserver pool.sks-keyservers.net --recv-keys DD8F2338BAE7501E3DD5AC78C2
_(See the bottom of this README for a full script to import active _(See the bottom of this README for a full script to import active
release keys)_ release keys)_
You can then use `gpg --verify SHASUMS256.txt.asc` to verify that the Next, download the SHASUMS256.txt.sig for the release:
file has been signed by an authorized member of the Node.js team.
Once verified, use the SHASUMS256.txt.asc file to get the checksum for ```console
$ curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt.sig
```
After downloading the appropriate SHASUMS256.txt and SHASUMS256.txt.sig files,
you can then use `gpg --verify SHASUMS256.txt.sig SHASUMS256.txt` to verify
that the file has been signed by an authorized member of the Node.js team.
Once verified, use the SHASUMS256.txt file to get the checksum for
the binary verification command above. the binary verification command above.
## Building Node.js ## Building Node.js

Write Preview
Loading…
Cancel
Save