feat: add gpg-only-active-keys/ keyring

Author: aduh95

.gitignore

@@ -1,5 +1,6 @@
 # Backup files, redundant with git history
-/gpg/*~
+/gpg*/*~
+/gpg*/S.*
 
 # TOFU trust database (unused; see https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html)
-/gpg/tofu.db
+/gpg*/tofu.db

README.md

@@ -61,11 +61,15 @@ Other keys used to sign some previous releases:
 
 ## Verifying Release Packages
 
-This repo contains the raw release signing keys in two forms:
+This repo contains the raw release signing keys in three forms:
 
- 1. The **keys/** directory contains the raw ASCII-armored release signing keys listed above.
+- The **keys/** directory contains the raw ASCII-armored release signing keys listed above.
 
- 2. The **gpg/** directory contains a GPG keyring preloaded with these release signing keys.
+- The **gpg/** directory contains a GPG keyring preloaded with these release signing keys.
+
+- The **gpg-only-active-keys/** directory contains a GPG keyring preloaded with
+  the active release signing keys. Use this if you only need to verify
+  signatures of "future" releases.
 
 For additional verification of both the keys' content *and* of the list of authorized signing
 keys, you may cross-reference the list with [nodejs.org](https://nodejs.org) and attempt to

cli.sh

@@ -55,6 +55,7 @@ nodejs_keys_add() {
   gpg --export --armor "${KEY_ID}" > "${CLI_DIR}/keys/${KEY_ID}.asc"
 
   GNUPGHOME="${CLI_DIR}/gpg" gpg --import "${CLI_DIR}/keys/${KEY_ID}.asc"
+  GNUPGHOME="${CLI_DIR}/gpg-only-active-keys" gpg --import "${CLI_DIR}/keys/${KEY_ID}.asc"
 
   printf "keys.list <- "
   if grep --quiet "${KEY_ID}" "${CLI_DIR}/keys.list"; then