Important Update: RPM Package Signature Key Change

[JesusPaz]

We are excited to announce a crucial update to our RPM package signing process. To enhance security and compatibility with new RPM distributions, we are upgrading our signature from SHA1 to SHA256.

This change necessitates regenerating all existing versions for Node.js 18, 20, and 21. Please note, this update applies only to active and supported Node.js versions.

Additionally, responding to community feedback, we're bringing back our installation scripts!

However, during this transition, you might encounter issues related to cache and package signing. But don't worry, we are fully committed to supporting you through any challenges that arise.

NodeSource team.

[StanBorbatTR]

When the the installation scripts were temporarily discontinued, we switched to using the RPM repositories directly. However, last week the RPM packages that provided the repository and key configurations stopped working correctly as they are still providing old keys. Are those packages still supported? Will they be updated, or should we switch back to using the installation scripts?

Here's a Dockerfile that illustrates/replicates the issue:

FROM public.ecr.aws/amazonlinux/amazonlinux:2023

# NodeJS 18
RUN set -ex \
    && curl -fsSL "https://rpm.nodesource.com/gpgkey/nodesource.gpg.key" -o "/tmp/nodesource.gpg.key" \
    && echo "332d428848005f43bfc79b9578c55cd172f5f17ae38aa7d9328f03a24e21c13a /tmp/nodesource.gpg.key" | sha256sum --check \
    && rpm --import /tmp/nodesource.gpg.key \
    && curl -fsSL "https://rpm.nodesource.com/pub_18.x/nodistro/repo/nodesource-release-nodistro-1.noarch.rpm" -o "/tmp/nodesource-release-nodistro-1.noarch.rpm" \
    && rpm -K /tmp/nodesource-release-nodistro-1.noarch.rpm && rpm -i /tmp/nodesource-release-nodistro-1.noarch.rpm \
    && yum install nodejs -y \
    && rm /tmp/nodesource.gpg.key \
    && rm /tmp/nodesource-release-nodistro-1.noarch.rpm \
    && yum clean all \
    && rm -rf /var/cache/yum