Either ensure that specific GPG keys used to sign releases are mentioned in README(.md) or indicate that the key could be a sub-key of a key listed (which itself isn't listed), with a sentence or 2 to minimize the time spent on sub-key aspect, if applicable

[haqer1]

• Version: 12.6.1
• Platform: Linux

What steps will reproduce the bug?

gpg --verify SHASUMS256.txt.sig

What is the expected behavior?

Key used should be mentioned on README(.md).

What do you see instead?

gpg --verify SHASUMS256.txt.sig
gpg: assuming signed data in 'SHASUMS256.txt'
gpg: Signature made ...
gpg: using RSA key 0EFFE1BCEFD9C84E3D098152933B01F40B5CA946

I.e., key is not mentioned on README.

[haqer1]

I see that the 2 keys are related. Yet, it's confusing to see a key that's not documented on the README: this requires the user to spend extra time on verifying what's going on.

P.S. All the other release developers have 1 key each on README, so i'm not sure whether listing both related keys for 1 release developers is an option (although it would be sufficient for verification purposes).
P.P.S. Perhaps some scripting could also be considered to make sure that the key used to sign a release is listed in README.md...

My 2 cents.

[ahwayakchih]

@haqer1 problem with GPG/PGP keys is being discussed for a long time now:

1. Release PGP key strategy and policy #709
2. New strategy for managing, sharing and documenting release keys needed build#1913

It looks like there will be a separate repository for release keys (although it still would need to be kept up-to-date with whatever key is used to sign releases), as proposed by @canterberry:

nodejs/admin#456

It just takes forever to finalize :(

[haqer1]

I've installed a lot of software & until this nodejs installation i've never seen a sub-key of a key listed on the software provider's site (which itself isn't listed) having been used to sign a release: IMHO, this is confusing & leads to waste of time.

Therefore,

• I think specific key used to sign should be listed: i.e., for me the proper fix is something like PR doc: ensure that GPG key used to sign the latest LTS release (12.6.1), as well as 13.12.0, & 8.16.0 is mentioned in README(.md) (#32559) #32560...

• but while i don't believe in it being the right way to address this, PR doc: make README(.md) more informative by indicating that a GPG key u… #32591 is still better than the status quo.