Skip to content

Commit

Permalink
Syncing up release keys with Node.js docs (#1002)
Browse files Browse the repository at this point in the history
We don't need old keys to verify new releases so I'm dropping them in favor of what's provided in the Node.js docs (https://github.com/nodejs/node?tab=readme-ov-file#release-keys). This should fix the blocked mirroring jobs like https://github.com/heroku/buildpacks-nodejs/actions/runs/12899295994/job/35967843824.
  • Loading branch information
colincasey authored Jan 22, 2025
1 parent 6a9f96e commit 0e58881
Showing 1 changed file with 9 additions and 32 deletions.
41 changes: 9 additions & 32 deletions common/bin/download-verify-node
Original file line number Diff line number Diff line change
Expand Up @@ -32,38 +32,15 @@ echo "Checking Node.js integrity..." >&2
grep "node-v${version_number}-${platform}.tar.gz" SHASUMS256.txt | sha256sum -c -

echo "Importing gpg keys..." >&2
gpg_keys=(
"4ED778F539E3634C779C87C6D7062848A1AB005C"
"94AE36675C464D64BAFA68DD7434390BDBE9B9C5"
"1C050899334244A8AF75E53792EF661D867B9DFA"
"B9AE9905FFD7803F25714661B63B535A4C206CA9"
"77984A986EBC2AA786BC0F66B01FBB92821C587A"
"71DCFD284A79C3B38668286BC97EC7A07EDE3FC1"
"61FC681DFB92A079F1685E77973F295594EC4689"
"FD3A5288F042B6850C66B31F09FE44734EB7990E"
"8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600"
"C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8"
"890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4"
"C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C"
"DD8F2338BAE7501E3DD5AC78C273792F7D83545D"
"A48C2BEE680E841632CD4E44F07496B3EB3C1762"
"B9E2F5981AA6E0CD28160D9FF13993A75599653C"
"108F52B48DB57BB0CC439B2997B01419BD92F80A"
"9554F04D7259F04124DE6B476D5A82AC7E37093B"
"93C7E9E91B49E432C2F75674B0A78B0A6C481CF6"
"56730D5401028683275BD23C23EFEFE93C4CFFFE"
"114F43EE0176B71C7BC219DD50A3051F888C628D"
"7937DFD2AB06298B2293C3187D33FF9D0246406D"
"74F12602B6F1C4E913FAA37AD3A89613643B6201"
"141F07595B7B3FFE74309A937405533BE57C7D57"
"DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7"
"A363A499291CBBC940DD62E41F10027AF002F8B0"
"CC68F5A3106FF448322E48ED27F5E38D5B0A215F"
"C0D6248439F1D5604AAFFB4021D900FFDB233756"
)
for key in "${gpg_keys[@]}"; do
gpg --keyserver hkps://keys.openpgp.org --recv-keys "$key"
done
# https://github.com/nodejs/node?tab=readme-ov-file#release-keys
gpg --keyserver hkps://keys.openpgp.org --recv-keys C0D6248439F1D5604AAFFB4021D900FFDB233756 # Antoine du Hamel
gpg --keyserver hkps://keys.openpgp.org --recv-keys DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 # Juan José Arboleda
gpg --keyserver hkps://keys.openpgp.org --recv-keys CC68F5A3106FF448322E48ED27F5E38D5B0A215F # Marco Ippolito
gpg --keyserver hkps://keys.openpgp.org --recv-keys 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 # Michaël Zasso
gpg --keyserver hkps://keys.openpgp.org --recv-keys 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 # Rafael Gonzaga
gpg --keyserver hkps://keys.openpgp.org --recv-keys C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C # Richard Lau
gpg --keyserver hkps://keys.openpgp.org --recv-keys 108F52B48DB57BB0CC439B2997B01419BD92F80A # Ruy Adorno
gpg --keyserver hkps://keys.openpgp.org --recv-keys A363A499291CBBC940DD62E41F10027AF002F8B0 # Ulises Gascónne

echo "Verifying Node.js gpg signature..." >&2
gpg --verify SHASUMS256.txt.sig SHASUMS256.txt

0 comments on commit 0e58881

Please sign in to comment.