Primary GPG keys for Node.js Releasers (some Releasers sign with subkeys):
- Antoine du Hamel <duhamelantoine1995@gmail.com>
5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 - Juan José Arboleda <soyjuanarbol@gmail.com>
DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 - Marco Ippolito <marcoippolito54@gmail.com>
CC68F5A3106FF448322E48ED27F5E38D5B0A215F - Michaël Zasso <targos@protonmail.com>
8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 - Rafael Gonzaga <rafael.nunu@hotmail.com>
890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 - Richard Lau <richard.lau@ibm.com>
C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C - Ruy Adorno <ruyadorno@hotmail.com>
108F52B48DB57BB0CC439B2997B01419BD92F80A - Ulises Gascón <ulisesgascongonzalez@gmail.com>
A363A499291CBBC940DD62E41F10027AF002F8B0
Other keys used to sign some previous releases:
- Antoine du Hamel <duhamelantoine1995@gmail.com>
C0D6248439F1D5604AAFFB4021D900FFDB233756 - Beth Griggs <bethanyngriggs@gmail.com>
4ED778F539E3634C779C87C6D7062848A1AB005C - Bryan English <bryan@bryanenglish.com>
141F07595B7B3FFE74309A937405533BE57C7D57 - Chris Dickinson <christopher.s.dickinson@gmail.com>
9554F04D7259F04124DE6B476D5A82AC7E37093B - Colin Ihrig <cjihrig@gmail.com>
94AE36675C464D64BAFA68DD7434390BDBE9B9C5 - Danielle Adams <adamzdanielle@gmail.com>
1C050899334244A8AF75E53792EF661D867B9DFA74F12602B6F1C4E913FAA37AD3A89613643B6201 - Evan Lucas <evanlucas@me.com>
B9AE9905FFD7803F25714661B63B535A4C206CA9 - Gibson Fahnestock <gibfahn@gmail.com>
77984A986EBC2AA786BC0F66B01FBB92821C587A - Isaac Z. Schlueter <i@izs.me>
93C7E9E91B49E432C2F75674B0A78B0A6C481CF6 - Italo A. Casas <me@italoacasas.com>
56730D5401028683275BD23C23EFEFE93C4CFFFE - James M Snell <jasnell@keybase.io>
71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 - Jeremiah Senkpiel <fishrock@keybase.io>
FD3A5288F042B6850C66B31F09FE44734EB7990E - Juan José Arboleda <soyjuanarbol@gmail.com>
61FC681DFB92A079F1685E77973F295594EC4689 - Julien Gilli <jgilli@fastmail.fm>
114F43EE0176B71C7BC219DD50A3051F888C628D - Myles Borins <myles.borins@gmail.com>
C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 - Rod Vagg <rod@vagg.org>
DD8F2338BAE7501E3DD5AC78C273792F7D83545D - Ruben Bridgewater <ruben@bridgewater.de>
A48C2BEE680E841632CD4E44F07496B3EB3C1762 - Shelley Vohr <shelley.vohr@gmail.com>
B9E2F5981AA6E0CD28160D9FF13993A75599653C - Timothy J Fontaine <tjfontaine@gmail.com>
7937DFD2AB06298B2293C3187D33FF9D0246406D
This repo contains the raw release signing keys in three forms:
-
The keys/ directory contains the raw ASCII-armored release signing keys listed above.
-
The gpg/ directory contains a GPG keyring preloaded with these release signing keys.
-
The gpg-only-active-keys/ directory contains a GPG keyring preloaded with the active release signing keys. Use this if you only need to verify signatures of "future" releases.
For additional verification of both the keys' content and of the list of authorized signing keys, you may cross-reference the list with nodejs.org and attempt to fetch keys from alternative sources (instead of or in addition to this repo).
First, clone this repo:
git clone https://github.com/nodejs/release-keys.gitThen, prefix your gpg commands with the path to the cloned repo's gpg/ directory.
For example, if you cloned the repo to /path/to/nodejs-keys, then the gpg command
to verify a release package will look something like this:
GNUPGHOME=/path/to/release-keys/gpg gpg --verify SHASUMS256.txt.sig SHASUMS256.txtFirst, clone this repo:
git clone https://github.com/nodejs/release-keys.gitThen, import the release signing keys from this repo into your GPG keychain by invoking the cli.sh script in this repo. For example, immediately after cloning the repo above, the following command will import all release signing keys:
release-keys/cli.sh import