Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: improve instructions for verifying binaries #23248

Closed
wants to merge 1 commit into from
Closed

doc: improve instructions for verifying binaries #23248

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 10 additions & 18 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,11 +114,10 @@ documentation of the latest stable version.

### Verifying Binaries

Current, LTS, and Nightly download directories all contain a SHASUMS256.txt
file that lists the SHA checksums for each file available for
download.
Download directories contain a SHASUMS256.txt file with SHA checksums for the
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SHASUMS256.txt -> `SHASUMS256.txt` (with backticks)?

(Here and in all other mentions of SHASUMS256.txt and SHASUMS256.txt.sig if it is appropriate for this PR).

files.

The SHASUMS256.txt can be downloaded using `curl`.
To download SHASUMS256.txt using `curl`:

```console
$ curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt
Expand All @@ -131,14 +130,11 @@ it through `sha256sum` with a command such as:
$ grep node-vx.y.z.tar.gz SHASUMS256.txt | sha256sum -c -
```

Current and LTS releases (but not Nightlies) also have the GPG detached
signature of SHASUMS256.txt available as SHASUMS256.txt.sig. You can use `gpg`
to verify that SHASUMS256.txt has not been tampered with.

To verify SHASUMS256.txt has not been altered, you will first need to import
all of the GPG keys of individuals authorized to create releases. They are
listed at the bottom of this README under [Release Team](#release-team).
Use a command such as this to import the keys:
For Current and LTS, the GPG detached signature of SHASUMS256.txt is in
SHASUMS256.txt.sig. You can use it with `gpg` to verify the integrity of
SHASUM256.txt. You will first need to import all the GPG keys of individuals
authorized to create releases. They are at the bottom of this README under
[Release Team](#release-team). To import the keys:

```console
$ gpg --keyserver pool.sks-keyservers.net --recv-keys DD8F2338BAE7501E3DD5AC78C273792F7D83545D
Expand All @@ -152,12 +148,8 @@ Next, download the SHASUMS256.txt.sig for the release:
$ curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt.sig
```

After downloading the appropriate SHASUMS256.txt and SHASUMS256.txt.sig files,
you can then use `gpg --verify SHASUMS256.txt.sig SHASUMS256.txt` to verify
that the file has been signed by an authorized member of the Node.js team.

Once verified, use the SHASUMS256.txt file to get the checksum for
the binary verification command above.
Then use `gpg --verify SHASUMS256.txt.sig SHASUMS256.txt` to verify
the file's signature.

## Building Node.js

Expand Down