From cc67720ff9c50aeed953b517d62878b1acacae58 Mon Sep 17 00:00:00 2001 From: marco-ippolito Date: Thu, 28 Mar 2024 19:08:48 +0100 Subject: [PATCH] doc: update release gpg keyserver PR-URL: https://github.com/nodejs/node/pull/52257 Refs: https://github.com/nodejs/Release/issues/984 Reviewed-By: Antoine du Hamel Reviewed-By: Luigi Pinca Reviewed-By: Richard Lau Reviewed-By: Ruy Adorno Reviewed-By: Rafael Gonzaga Reviewed-By: Matteo Collina --- doc/contributing/releases.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/doc/contributing/releases.md b/doc/contributing/releases.md index db0d4552e41ea4..2e4a1d2c1faf93 100644 --- a/doc/contributing/releases.md +++ b/doc/contributing/releases.md @@ -90,10 +90,11 @@ responsible for that release. In order to be able to verify downloaded binaries, the public should be able to check that the `SHASUMS256.txt` file has been signed by someone who has been authorized to create a release. -The GPG keys should be fetchable from a known third-party keyserver. The SKS -Keyservers at are recommended. Use the -[submission](https://pgp.mit.edu/) form to submit a new GPG key. You'll need to -do an ASCII-armored export of your key first: +The public keys should be fetchable from a known third-party keyserver. +The OpenPGP keyserver at is recommended. +Use the [submission](https://keys.openpgp.org/upload) form to submit +a new public key, and make sure to verify the associated email. +You'll need to do an ASCII-armored export of your key first: ```bash gpg --armor --export email@server.com > ~/nodekey.asc @@ -102,7 +103,7 @@ gpg --armor --export email@server.com > ~/nodekey.asc Keys should be fetchable via: ```bash -gpg --keyserver pool.sks-keyservers.net --recv-keys +gpg --keyserver hkps://keys.openpgp.org --recv-keys ``` The key you use may be a child/subkey of an existing key.