Migrate to Node.js verification using keyring source #2265
Description
Problem
This repo is no longer aligned with recommendations from node > README > Verifying binaries which now specifies using https://github.com/nodejs/release-keys/raw/HEAD/gpg/pubring.kbx
Disadvantages of current method:
- Individual keys need to be maintained in this repo
- Both
hkps://keys.openpgp.organdkeyserver.ubuntu.comkey servers needs to be polled - Previous keys in
hkps://keys.openpgp.orgwhere the key signer has moved to a new key, are effectively disabled if the same e-mail address is used (see Can I verify more than one key for some email address?)
Solution
Migrate from current Node.js image verification with locally stored individual PGP keys to instead use a keyring from https://github.com/nodejs/release-keys.
Depending on the need for reproducibility, the keyring could either be copied and stored, or the online version on https://github.com/nodejs/release-keys could be used.
Alternatives to Consider
- No change. In that case keys still need to be manually maintained here.