Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: ensure that GPG key used to sign the latest LTS release (12.6.1), as well as 13.12.0, & 8.16.0 #32565

Closed
wants to merge 1 commit into from
Closed

doc: ensure that GPG key used to sign the latest LTS release (12.6.1), as well as 13.12.0, & 8.16.0 #32565

wants to merge 1 commit into from

Conversation

haqer1
Copy link
Contributor

@haqer1 haqer1 commented Mar 30, 2020

… is mentioned in README(.md) (alternative approach (just in case decision-makers want to keep C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 key listed higher (as current) & 0EFFE1BCEFD9C84E3D098152933B01F40B5CA946 lower (as older)))

Update README.md.

Fixes: #32559

Checklist

@haqer1
doc: ensure that GPG key used to sign the latest LTS release (12.6.1)…
feca98d 
… is mentioned in README(.md) (alternative approach)

Update README.md.

Fixes: nodejs#32559
@nodejs-github-bot nodejs-github-bot added the doc Issues and PRs related to the documentations. label Mar 30, 2020
@haqer1 haqer1 mentioned this pull request Mar 30, 2020
Closed
2 tasks
MylesBorins
MylesBorins requested changes Mar 30, 2020
View reviewed changes
Copy link
Member

@MylesBorins MylesBorins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PTAL at #32560 (comment) as to why I don't think this should land

@haqer1
Copy link
Contributor Author

haqer1 commented Mar 31, 2020

Just in case, i'm also listing the error the user gets at present in French:

$ gpg --verify SHASUMS256.txt.sig SHASUMS256.txt
gpg: Signature faite le ...
gpg:                avec la clef RSA 0EFFE1BCEFD9C84E3D098152933B01F40B5CA946
gpg: Impossible de vérifier la signature : Pas de clef publique

IMHO, because
0EFFE1BCEFD9C84E3D098152933B01F40B5CA946
is not listed in
https://github.com/nodejs/node/blob/master/README.md
either this PR or #32560 should land.

P.S. IMHO, users shouldn't be required to spend extra time on this (for whatever reason this has happened), while there is a section in README(.md) which is specifically made to facilitate signature verification. So at present (assumingly) all the keys for (assumingly) all the releases are listed there, except this 1 key for this 1 LTS release. Which is why i've spent some time to ask for it to be corrected.

@haqer1
Copy link
Contributor Author

haqer1 commented Mar 31, 2020

The same stuff as in #32560 (comment), but preserving spaces (& in French):

.../nodejs/8.16.0$ gpg --verify SHASUMS256.txt.sig SHASUMS256.txt
gpg: Signature faite le <date/>
gpg:                avec la clef RSA 0EFFE1BCEFD9C84E3D098152933B01F40B5CA946
gpg: Impossible de vérifier la signature : Pas de clef publique
.../nodejs/13.12.0$ gpg --verify SHASUMS256.txt.sig SHASUMS256.txt
gpg: Signature faite le <date/>
gpg:                avec la clef RSA 0EFFE1BCEFD9C84E3D098152933B01F40B5CA946
gpg: Impossible de vérifier la signature : Pas de clef publique

The fact that users see 0EFFE1BCEFD9C84E3D098152933B01F40B5CA946 for (at least) 3 releases, IMHO, is an argument in favor of landing #32560 (as opposed to this PR).

@haqer1 haqer1 changed the title doc: ensure that GPG key used to sign the latest LTS release (12.6.1)… doc: ensure that GPG key used to sign the latest LTS release (12.6.1), as well as 13.12.0, & 8.16.0 Apr 1, 2020
@MylesBorins
Copy link
Member

Landed #32591 instead

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MylesBorins MylesBorins MylesBorins requested changes

Assignees
No one assigned
Labels
doc Issues and PRs related to the documentations.
Projects
None yet
Milestone
No milestone
3 participants
@haqer1 @MylesBorins @nodejs-github-bot