Primary GPG keys for Node.js Releasers (some Releasers sign with subkeys):
- Antoine du Hamel <[email protected]>
C0D6248439F1D5604AAFFB4021D900FFDB233756 - Juan José Arboleda <[email protected]>
DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 - Marco Ippolito <[email protected]>
CC68F5A3106FF448322E48ED27F5E38D5B0A215F - Michaël Zasso <[email protected]>
8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 - Rafael Gonzaga <[email protected]>
890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 - Richard Lau <[email protected]>
C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C - Ruy Adorno <[email protected]>
108F52B48DB57BB0CC439B2997B01419BD92F80A - Ulises Gascón <[email protected]>
A363A499291CBBC940DD62E41F10027AF002F8B0
Other keys used to sign some previous releases:
- Beth Griggs <[email protected]>
4ED778F539E3634C779C87C6D7062848A1AB005C - Bryan English <[email protected]>
141F07595B7B3FFE74309A937405533BE57C7D57 - Chris Dickinson <[email protected]>
9554F04D7259F04124DE6B476D5A82AC7E37093B - Colin Ihrig <[email protected]>
94AE36675C464D64BAFA68DD7434390BDBE9B9C5 - Danielle Adams <[email protected]>
1C050899334244A8AF75E53792EF661D867B9DFA74F12602B6F1C4E913FAA37AD3A89613643B6201 - Evan Lucas <[email protected]>
B9AE9905FFD7803F25714661B63B535A4C206CA9 - Gibson Fahnestock <[email protected]>
77984A986EBC2AA786BC0F66B01FBB92821C587A - Isaac Z. Schlueter <[email protected]>
93C7E9E91B49E432C2F75674B0A78B0A6C481CF6 - Italo A. Casas <[email protected]>
56730D5401028683275BD23C23EFEFE93C4CFFFE - James M Snell <[email protected]>
71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 - Jeremiah Senkpiel <[email protected]>
FD3A5288F042B6850C66B31F09FE44734EB7990E - Juan José Arboleda <[email protected]>
61FC681DFB92A079F1685E77973F295594EC4689 - Julien Gilli <[email protected]>
114F43EE0176B71C7BC219DD50A3051F888C628D - Myles Borins <[email protected]>
C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 - Rod Vagg <[email protected]>
DD8F2338BAE7501E3DD5AC78C273792F7D83545D - Ruben Bridgewater <[email protected]>
A48C2BEE680E841632CD4E44F07496B3EB3C1762 - Shelley Vohr <[email protected]>
B9E2F5981AA6E0CD28160D9FF13993A75599653C - Timothy J Fontaine <[email protected]>
7937DFD2AB06298B2293C3187D33FF9D0246406D
This repo contains the raw release signing keys in three forms:
-
The keys/ directory contains the raw ASCII-armored release signing keys listed above.
-
The gpg/ directory contains a GPG keyring preloaded with these release signing keys.
-
The gpg-only-active-keys/ directory contains a GPG keyring preloaded with the active release signing keys. Use this if you only need to verify signatures of "future" releases.
For additional verification of both the keys' content and of the list of authorized signing keys, you may cross-reference the list with nodejs.org and attempt to fetch keys from alternative sources (instead of or in addition to this repo).
First, clone this repo:
git clone https://github.com/nodejs/release-keys.gitThen, prefix your gpg commands with the path to the cloned repo's gpg/ directory.
For example, if you cloned the repo to /path/to/nodejs-keys, then the gpg command
to verify a release package will look something like this:
GNUPGHOME=/path/to/release-keys/gpg gpg --verify SHASUMS256.txt.sig SHASUMS256.txtFirst, clone this repo:
git clone https://github.com/nodejs/release-keys.gitThen, import the release signing keys from this repo into your GPG keychain by invoking the cli.sh script in this repo. For example, immediately after cloning the repo above, the following command will import all release signing keys:
release-keys/cli.sh import