nodejs
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 26 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎generate-gpg-dir.sh‎
Lines changed: 32 additions & 0 deletions b/‎generate-gpg-dir.sh‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎gpg/crls.d/DIR.txt‎
Lines changed: 0 additions & 1 deletion b/‎gpg/crls.d/DIR.txt‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎gpg/pubring.kbx‎
720 Bytes b/‎gpg/pubring.kbx‎
720 Bytes
diff --git a/‎gpg/trustdb.gpg‎
0 Bytes b/‎gpg/trustdb.gpg‎
0 Bytes
@@ -38,3 +38,29 @@ jobs:
             echo
             sed -n '\#^<!-- /Retired keys -->$#,$p' README.md
           } | diff README.md -
+
+  lint-pubring:
+    if: github.event.pull_request.draft == false
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Export pubring content
+        run: |
+          gpg --no-default-keyring --keyring "gpg/pubring.kbx" --list-keys --with-colons > all-keys.list
+          gpg --no-default-keyring --keyring "gpg/pubring.kbx" --export --armor > all-keys.asc
+          git add all-keys.list all-keys.asc
+      - name: Re-generate gpg folder
+        run: |
+          ./generate-gpg-dir.sh
+          gpg --no-default-keyring --keyring "gpg/pubring.kbx" --list-keys --with-colons > all-keys.list
+          gpg --no-default-keyring --keyring "gpg/pubring.kbx" --export --armor > all-keys.asc
+      - run: git diff --exit-code -- all-keys.list all-keys.asc
+
+      - name: Validate that all non-v0.x releases can be verified using the keyring
+        run: |
+          curl https://nodejs.org/dist/index.json | jq -r '.[].version | select(startswith("v0.") | not)' | while read -r VERSION; do
+            echo "Checking $VERSION..."
+            curl --silent "https://nodejs.org/dist/${VERSION}/SHASUMS256.txt.asc" | gpgv --keyring="gpg/pubring.kbx"
+          done
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+set -ex
+
+GNUPGHOME=${1:-"$(cd "$(dirname "$0")"; pwd)/gpg"}
+ONLY_ACTIVE_KEYS=${2:-"$GNUPGHOME-only-active-keys"}
+
+if [ -d "$GNUPGHOME" ]; then
+  # If folder exists, move it to a temp dir
+  # Removing it could be dangerous
+  TRASH=$(mktemp -d)
+  mv "$GNUPGHOME" "$TRASH"
+fi
+if [ -d "$ONLY_ACTIVE_KEYS" ]; then
+  # If folder exists, move it to a temp dir
+  # Removing it could be dangerous
+  TRASH=$(mktemp -d)
+  mv "$ONLY_ACTIVE_KEYS" "$TRASH"
+fi
+
+mkdir -p "$GNUPGHOME"
+
+awk -F'`' '/^<!-- Active releasers keys -->$/,/^<!-- .Active releasers keys -->$/ {if($1 == "  [") print substr($3, 3, length($3) - 3) }' README.md | while read -r KEY_PATH; do
+  GNUPGHOME="$GNUPGHOME" gpg --import "$KEY_PATH"
+done
+
+# TODO: add a "active-keys-only" keyring
+# cp -R "$GNUPGHOME" "$ONLY_ACTIVE_KEYS"
+
+awk -F'`' '/^<!-- Retired keys -->$/,/^<!-- .Retired keys -->$/ {if($1 == "  [") print substr($3, 3, length($3) - 3) }' README.md | while read -r KEY_PATH; do
+  GNUPGHOME="$GNUPGHOME" gpg --import "$KEY_PATH"
+done