-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v18 and v19 are signed by a public key not captured in this keyring #21
Comments
Still an issue with v18.15.0, any update on when those keys will get added to support signature verification? |
Hey, @sp3nx0r. Looking into this. v18.15.0 signing key $ wget https://nodejs.org/dist/v18.15.0/SHASUMS256.txt.sig
$ wget https://nodejs.org/dist/v18.15.0/SHASUMS256.txt
$ GNUPGHOME=~/release-keys/gpg gpg --verify SHASUMS256.txt.sig SHASUMS256.txt
gpg: Signature made Tue 7 Mar 20:01:57 2023 GMT
gpg: using RSA key 4ED778F539E3634C779C87C6D7062848A1AB005C
gpg: Good signature from "Beth Griggs <bgriggs@redhat.com>" [unknown]
gpg: aka "Beth Griggs <Bethany.Griggs@uk.ibm.com>" [unknown]
... But, v19.5.0 signing key $ wget https://nodejs.org/dist/v19.4.0/SHASUMS256.txt
$ wget https://nodejs.org/dist/v19.4.0/SHASUMS256.txt.sig
$ GNUPGHOME=~/release-keys/gpg gpg --verify SHASUMS256.txt.sig SHASUMS256.txt
gpg: Signature made Fri 6 Jan 13:15:00 2023 GMT
gpg: using RSA key 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4
gpg: Can't check signature: No public key @RafaelGSS it looks like we missed adding your key @juanarbol's old key |
I'd appreciate if anyone can confirm that the signature validation is working after #24 landed. |
Can confirm this is now working as intended for 18, 19, 20 versions. Thanks for addressing |
Noticed that NodeJS v18 and v19 fail when validating signatures using the public key keyring in this repo:
v18 is using RSA key 61FC681DFB92A079F1685E77973F295594EC4689
Could we get those keys added into this repo for signature verification? Thanks
The text was updated successfully, but these errors were encountered: