README gpg guidelines are insufficient
raggi opened this issue · 5 comments
- Version: n/a
- Platform: n/a
- Subsystem: n/a
The readme states:
You can then use gpg --verify SHASUMS256.txt.asc to verify that the file has been signed by an authorized member of the Node.js team.
However, this operation will only verify that the file was armored by some previously trusted gpg public key. Any user that trusts more than just the node publishing keys may be vulnerable to packages published by non-nodejs team members.
This process should use --no-default-keyring and a keyring/key file fit for purpose, along with --verify
@raggi can you submit a PR with the suggested change and we can discuss it in the PR
I agree that custom keyrings overall provide better safety guarantees when scripting. However, when doing the verification manually - it is a good practice to see who made the signature. Especially, assuming that people may be added to the authorized release group.
This issue has been inactive for sufficiently long that it seems like perhaps it should be closed. Feel free to re-open (or leave a comment requesting that it be re-opened) if you disagree. I'm just tidying up and not acting on a super-strong opinion or anything like that.