From 0e588817f9e07a3afb08714471cbc987a99f4c7c Mon Sep 17 00:00:00 2001
From: Colin Casey <casey.colin@gmail.com>
Date: Wed, 22 Jan 2025 11:45:59 -0400
Subject: [PATCH] Syncing up release keys with Node.js docs (#1002)

We don't need old keys to verify new releases so I'm dropping them in favor of what's provided in the Node.js docs (https://github.com/nodejs/node?tab=readme-ov-file#release-keys). This should fix the blocked mirroring jobs like https://github.com/heroku/buildpacks-nodejs/actions/runs/12899295994/job/35967843824.
---
 common/bin/download-verify-node | 41 ++++++++-------------------------
 1 file changed, 9 insertions(+), 32 deletions(-)

diff --git a/common/bin/download-verify-node b/common/bin/download-verify-node
index 87d2f788..c06b2bc0 100755
--- a/common/bin/download-verify-node
+++ b/common/bin/download-verify-node
@@ -32,38 +32,15 @@ echo "Checking Node.js integrity..." >&2
 grep "node-v${version_number}-${platform}.tar.gz" SHASUMS256.txt | sha256sum -c -
 
 echo "Importing gpg keys..." >&2
-gpg_keys=(
-	"4ED778F539E3634C779C87C6D7062848A1AB005C"
-	"94AE36675C464D64BAFA68DD7434390BDBE9B9C5"
-	"1C050899334244A8AF75E53792EF661D867B9DFA"
-	"B9AE9905FFD7803F25714661B63B535A4C206CA9"
-	"77984A986EBC2AA786BC0F66B01FBB92821C587A"
-	"71DCFD284A79C3B38668286BC97EC7A07EDE3FC1"
-	"61FC681DFB92A079F1685E77973F295594EC4689"
-	"FD3A5288F042B6850C66B31F09FE44734EB7990E"
-	"8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600"
-	"C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8"
-	"890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4"
-	"C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C"
-	"DD8F2338BAE7501E3DD5AC78C273792F7D83545D"
-	"A48C2BEE680E841632CD4E44F07496B3EB3C1762"
-	"B9E2F5981AA6E0CD28160D9FF13993A75599653C"
-	"108F52B48DB57BB0CC439B2997B01419BD92F80A"
-	"9554F04D7259F04124DE6B476D5A82AC7E37093B"
-	"93C7E9E91B49E432C2F75674B0A78B0A6C481CF6"
-	"56730D5401028683275BD23C23EFEFE93C4CFFFE"
-	"114F43EE0176B71C7BC219DD50A3051F888C628D"
-	"7937DFD2AB06298B2293C3187D33FF9D0246406D"
-	"74F12602B6F1C4E913FAA37AD3A89613643B6201"
-	"141F07595B7B3FFE74309A937405533BE57C7D57"
-	"DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7"
-	"A363A499291CBBC940DD62E41F10027AF002F8B0"
-	"CC68F5A3106FF448322E48ED27F5E38D5B0A215F"
-	"C0D6248439F1D5604AAFFB4021D900FFDB233756"
-)
-for key in "${gpg_keys[@]}"; do
-	gpg --keyserver hkps://keys.openpgp.org --recv-keys "$key"
-done
+# https://github.com/nodejs/node?tab=readme-ov-file#release-keys
+gpg --keyserver hkps://keys.openpgp.org --recv-keys C0D6248439F1D5604AAFFB4021D900FFDB233756 # Antoine du Hamel
+gpg --keyserver hkps://keys.openpgp.org --recv-keys DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 # Juan José Arboleda
+gpg --keyserver hkps://keys.openpgp.org --recv-keys CC68F5A3106FF448322E48ED27F5E38D5B0A215F # Marco Ippolito
+gpg --keyserver hkps://keys.openpgp.org --recv-keys 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 # Michaël Zasso
+gpg --keyserver hkps://keys.openpgp.org --recv-keys 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 # Rafael Gonzaga
+gpg --keyserver hkps://keys.openpgp.org --recv-keys C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C # Richard Lau
+gpg --keyserver hkps://keys.openpgp.org --recv-keys 108F52B48DB57BB0CC439B2997B01419BD92F80A # Ruy Adorno
+gpg --keyserver hkps://keys.openpgp.org --recv-keys A363A499291CBBC940DD62E41F10027AF002F8B0 # Ulises Gascónne
 
 echo "Verifying Node.js gpg signature..." >&2
 gpg --verify SHASUMS256.txt.sig SHASUMS256.txt