diff --git a/README.md b/README.md
index c7fe50e2e95278..a382bff37f8b6f 100644
--- a/README.md
+++ b/README.md
@@ -565,7 +565,9 @@ GPG keys used to sign Node.js releases:
 * **Shelley Vohr** <shelley.vohr@gmail.com>
 `B9E2F5981AA6E0CD28160D9FF13993A75599653C`
 
-To import the full set of trusted release keys:
+If you encounter a release signed by a key not listed above, please import it
+and check whether it is a sub-key of a primary key listed above. You can also
+import the full set of trusted release keys:
 
 ```shell
 gpg --keyserver pool.sks-keyservers.net --recv-keys 4ED778F539E3634C779C87C6D7062848A1AB005C