feat: add gpg-only-active-keys/ keyring

Author: aduh95

.gitignore

@@ -1,5 +1,6 @@
 # Backup files, redundant with git history
-/gpg/*~
+/gpg*/*~
+/gpg*/S.*
 
 # TOFU trust database (unused; see https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html)
-/gpg/tofu.db
+/gpg*/tofu.db

README.md

@@ -2,70 +2,75 @@
 
 Primary GPG keys for Node.js Releasers (some Releasers sign with subkeys):
 
-* **Antoine du Hamel** <duhamelantoine1995@gmail.com>
-[`C0D6248439F1D5604AAFFB4021D900FFDB233756`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/C0D6248439F1D5604AAFFB4021D900FFDB233756.asc)
-* **Beth Griggs** <bgriggs@redhat.com>
-[`4ED778F539E3634C779C87C6D7062848A1AB005C`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/4ED778F539E3634C779C87C6D7062848A1AB005C.asc)
-* **Bryan English** <bryan@bryanenglish.com>
-[`141F07595B7B3FFE74309A937405533BE57C7D57`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/141F07595B7B3FFE74309A937405533BE57C7D57.asc)
-* **Colin Ihrig** <cjihrig@gmail.com>
-[`94AE36675C464D64BAFA68DD7434390BDBE9B9C5`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/94AE36675C464D64BAFA68DD7434390BDBE9B9C5.asc)
-* **Danielle Adams** <adamzdanielle@gmail.com>
-[`74F12602B6F1C4E913FAA37AD3A89613643B6201`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/74F12602B6F1C4E913FAA37AD3A89613643B6201.asc)
-* **James M Snell** <jasnell@keybase.io>
-[`71DCFD284A79C3B38668286BC97EC7A07EDE3FC1`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/71DCFD284A79C3B38668286BC97EC7A07EDE3FC1.asc)
-* **Michaël Zasso** <targos@protonmail.com>
-[`8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600.asc)
-* **Myles Borins** <myles.borins@gmail.com>
-[`C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8.asc)
-* **Rafael Gonzaga** <rafael.nunu@hotmail.com>
-[`890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4.asc)
-* **Richard Lau** <rlau@redhat.com>
-[`C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C.asc)
-* **Rod Vagg** <rod@vagg.org>
-[`DD8F2338BAE7501E3DD5AC78C273792F7D83545D`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/DD8F2338BAE7501E3DD5AC78C273792F7D83545D.asc)
-* **Ruben Bridgewater** <ruben@bridgewater.de>
-[`A48C2BEE680E841632CD4E44F07496B3EB3C1762`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/A48C2BEE680E841632CD4E44F07496B3EB3C1762.asc)
-* **Ruy Adorno** <ruyadorno@hotmail.com>
-[`108F52B48DB57BB0CC439B2997B01419BD92F80A`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/108F52B48DB57BB0CC439B2997B01419BD92F80A.asc)
-* **Shelley Vohr** <shelley.vohr@gmail.com>
-[`B9E2F5981AA6E0CD28160D9FF13993A75599653C`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/B9E2F5981AA6E0CD28160D9FF13993A75599653C.asc)
-* **Marco Ippolito** &lt;<marcoippolito54@gmail.com>&gt;
-[`CC68F5A3106FF448322E48ED27F5E38D5B0A215F`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/CC68F5A3106FF448322E48ED27F5E38D5B0A215F.asc)
-* **Ulises Gascón** &lt;ulisesgascongonzalez@gmail.com&gt;
-[`A363A499291CBBC940DD62E41F10027AF002F8B0`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/A363A499291CBBC940DD62E41F10027AF002F8B0.asc)
+* **Antoine du Hamel** <<duhamelantoine1995@gmail.com>>
+  [`C0D6248439F1D5604AAFFB4021D900FFDB233756`](./keys/C0D6248439F1D5604AAFFB4021D900FFDB233756.asc)
+* **Juan José Arboleda** <<soyjuanarbol@gmail.com>>
+  [`DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7`](./keys/DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7.asc)
+* **Marco Ippolito** <<marcoippolito54@gmail.com>>
+  [`CC68F5A3106FF448322E48ED27F5E38D5B0A215F`](./keys/CC68F5A3106FF448322E48ED27F5E38D5B0A215F.asc)
+* **Michaël Zasso** <<targos@protonmail.com>>
+  [`8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600`](./keys/8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600.asc)
+* **Rafael Gonzaga** <<rafael.nunu@hotmail.com>>
+  [`890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4`](./keys/890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4.asc)
+* **Richard Lau** <<rlau@redhat.com>>
+  [`C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C`](./keys/C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C.asc)
+* **Ruy Adorno** <<ruyadorno@hotmail.com>>
+  [`108F52B48DB57BB0CC439B2997B01419BD92F80A`](./keys/108F52B48DB57BB0CC439B2997B01419BD92F80A.asc)
+* **Ulises Gascón** <<ulisesgascongonzalez@gmail.com>>
+  [`A363A499291CBBC940DD62E41F10027AF002F8B0`](./keys/A363A499291CBBC940DD62E41F10027AF002F8B0.asc)
 
-Other keys used to sign some previous releases:
 
-* **Danielle Adams** &lt;adamzdanielle@gmail.com&gt;
-[`1C050899334244A8AF75E53792EF661D867B9DFA`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/1C050899334244A8AF75E53792EF661D867B9DFA.asc)
-* **Chris Dickinson** &lt;christopher.s.dickinson@gmail.com&gt;
-[`9554F04D7259F04124DE6B476D5A82AC7E37093B`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/9554F04D7259F04124DE6B476D5A82AC7E37093B.asc)
-* **Evan Lucas** &lt;evanlucas@me.com&gt;
-[`B9AE9905FFD7803F25714661B63B535A4C206CA9`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/B9AE9905FFD7803F25714661B63B535A4C206CA9.asc)
-* **Gibson Fahnestock** &lt;gibfahn@gmail.com&gt;
-[`77984A986EBC2AA786BC0F66B01FBB92821C587A`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/77984A986EBC2AA786BC0F66B01FBB92821C587A.asc)
-* **Isaac Z. Schlueter** &lt;i@izs.me&gt;
-[`93C7E9E91B49E432C2F75674B0A78B0A6C481CF6`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/93C7E9E91B49E432C2F75674B0A78B0A6C481CF6.asc)
-* **Italo A. Casas** &lt;me@italoacasas.com&gt;
-[`56730D5401028683275BD23C23EFEFE93C4CFFFE`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/56730D5401028683275BD23C23EFEFE93C4CFFFE.asc)
-* **Jeremiah Senkpiel** &lt;fishrock@keybase.io&gt;
-[`FD3A5288F042B6850C66B31F09FE44734EB7990E`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/FD3A5288F042B6850C66B31F09FE44734EB7990E.asc)
-* **Julien Gilli** &lt;jgilli@fastmail.fm&gt;
-[`114F43EE0176B71C7BC219DD50A3051F888C628D`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/114F43EE0176B71C7BC219DD50A3051F888C628D.asc)
-* **Timothy J Fontaine** &lt;tjfontaine@gmail.com&gt;
-[`7937DFD2AB06298B2293C3187D33FF9D0246406D`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/7937DFD2AB06298B2293C3187D33FF9D0246406D.asc)
-* **Juan José Arboleda** &lt;soyjuanarbol@gmail.com&gt;
-[`61FC681DFB92A079F1685E77973F295594EC4689`](https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/61FC681DFB92A079F1685E77973F295594EC4689.asc)
+Other keys used to sign some previous releases:
 
+* **Beth Griggs** <<bethanyngriggs@gmail.com>>
+  [`4ED778F539E3634C779C87C6D7062848A1AB005C`](./keys/4ED778F539E3634C779C87C6D7062848A1AB005C.asc)
+* **Bryan English** <<bryan@bryanenglish.com>>
+  [`141F07595B7B3FFE74309A937405533BE57C7D57`](./keys/141F07595B7B3FFE74309A937405533BE57C7D57.asc)
+* **Chris Dickinson** <<christopher.s.dickinson@gmail.com>>
+  [`9554F04D7259F04124DE6B476D5A82AC7E37093B`](./keys/9554F04D7259F04124DE6B476D5A82AC7E37093B.asc)
+* **Colin Ihrig** <<cjihrig@gmail.com>>
+  [`94AE36675C464D64BAFA68DD7434390BDBE9B9C5`](./keys/94AE36675C464D64BAFA68DD7434390BDBE9B9C5.asc)
+* **Danielle Adams** <<adamzdanielle@gmail.com>>
+  [`1C050899334244A8AF75E53792EF661D867B9DFA`](./keys/1C050899334244A8AF75E53792EF661D867B9DFA.asc)
+  [`74F12602B6F1C4E913FAA37AD3A89613643B6201`](./keys/74F12602B6F1C4E913FAA37AD3A89613643B6201.asc)
+* **Evan Lucas** <<evanlucas@me.com>>
+  [`B9AE9905FFD7803F25714661B63B535A4C206CA9`](./keys/B9AE9905FFD7803F25714661B63B535A4C206CA9.asc)
+* **Gibson Fahnestock** <<gibfahn@gmail.com>>
+  [`77984A986EBC2AA786BC0F66B01FBB92821C587A`](./keys/77984A986EBC2AA786BC0F66B01FBB92821C587A.asc)
+* **Isaac Z. Schlueter** <<i@izs.me>>
+  [`93C7E9E91B49E432C2F75674B0A78B0A6C481CF6`](./keys/93C7E9E91B49E432C2F75674B0A78B0A6C481CF6.asc)
+* **Italo A. Casas** <<me@italoacasas.com>>
+  [`56730D5401028683275BD23C23EFEFE93C4CFFFE`](./keys/56730D5401028683275BD23C23EFEFE93C4CFFFE.asc)
+* **James M Snell** <<jasnell@keybase.io>>
+  [`71DCFD284A79C3B38668286BC97EC7A07EDE3FC1`](./keys/71DCFD284A79C3B38668286BC97EC7A07EDE3FC1.asc)
+* **Jeremiah Senkpiel** <<fishrock@keybase.io>>
+  [`FD3A5288F042B6850C66B31F09FE44734EB7990E`](./keys/FD3A5288F042B6850C66B31F09FE44734EB7990E.asc)
+* **Juan José Arboleda** <<soyjuanarbol@gmail.com>>
+  [`61FC681DFB92A079F1685E77973F295594EC4689`](./keys/61FC681DFB92A079F1685E77973F295594EC4689.asc)
+* **Julien Gilli** <<jgilli@fastmail.fm>>
+  [`114F43EE0176B71C7BC219DD50A3051F888C628D`](./keys/114F43EE0176B71C7BC219DD50A3051F888C628D.asc)
+* **Myles Borins** <<myles.borins@gmail.com>>
+  [`C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8`](./keys/C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8.asc)
+* **Rod Vagg** <<rod@vagg.org>>
+  [`DD8F2338BAE7501E3DD5AC78C273792F7D83545D`](./keys/DD8F2338BAE7501E3DD5AC78C273792F7D83545D.asc)
+* **Ruben Bridgewater** <<ruben@bridgewater.de>>
+  [`A48C2BEE680E841632CD4E44F07496B3EB3C1762`](./keys/A48C2BEE680E841632CD4E44F07496B3EB3C1762.asc)
+* **Shelley Vohr** <<shelley.vohr@gmail.com>>
+  [`B9E2F5981AA6E0CD28160D9FF13993A75599653C`](./keys/B9E2F5981AA6E0CD28160D9FF13993A75599653C.asc)
+* **Timothy J Fontaine** <<tjfontaine@gmail.com>>
+  [`7937DFD2AB06298B2293C3187D33FF9D0246406D`](./keys/7937DFD2AB06298B2293C3187D33FF9D0246406D.asc)
 
 ## Verifying Release Packages
 
-This repo contains the raw release signing keys in two forms:
+This repo contains the raw release signing keys in three forms:
+
+- The **keys/** directory contains the raw ASCII-armored release signing keys listed above.
 
- 1. The **keys/** directory contains the raw ASCII-armored release signing keys listed above.
+- The **gpg/** directory contains a GPG keyring preloaded with these release signing keys.
 
- 2. The **gpg/** directory contains a GPG keyring preloaded with these release signing keys.
+- The **gpg-only-active-keys/** directory contains a GPG keyring preloaded with
+  the active release signing keys. Use this if you only need to verify
+  signatures of "future" releases.
 
 For additional verification of both the keys' content *and* of the list of authorized signing
 keys, you may cross-reference the list with [nodejs.org](https://nodejs.org) and attempt to

cli.sh

@@ -55,6 +55,7 @@ nodejs_keys_add() {
   gpg --export --armor "${KEY_ID}" > "${CLI_DIR}/keys/${KEY_ID}.asc"
 
   GNUPGHOME="${CLI_DIR}/gpg" gpg --import "${CLI_DIR}/keys/${KEY_ID}.asc"
+  GNUPGHOME="${CLI_DIR}/gpg-only-active-keys" gpg --import "${CLI_DIR}/keys/${KEY_ID}.asc"
 
   printf "keys.list <- "
   if grep --quiet "${KEY_ID}" "${CLI_DIR}/keys.list"; then

generate-gpg-dir.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+
+set -ex
+
+GNUPGHOME=${1:-"$(cd "$(dirname "$0")"; pwd)/gpg"}
+ONLY_ACTIVE_KEYS=${2:-"$GNUPGHOME-only-active-keys"}
+
+if [ -d "$GNUPGHOME" ]; then
+  # If folder exists, move it to a temp dir
+  # Removing it could be dangerous
+  TRASH=$(mktemp -d)
+  mv "$GNUPGHOME" "$TRASH"
+fi
+if [ -d "$ONLY_ACTIVE_KEYS" ]; then
+  # If folder exists, move it to a temp dir
+  # Removing it could be dangerous
+  TRASH=$(mktemp -d)
+  mv "$ONLY_ACTIVE_KEYS" "$TRASH"
+fi
+
+mkdir -p "$GNUPGHOME"
+
+# You can set this variable in your env to use a local version of the nodejs/node README instead of getting it from the internet.
+[ -n "$NODEJS_README_PATH" ] || {
+  NODEJS_README_PATH=$(mktemp)
+  curl -sSLo "$NODEJS_README_PATH" https://github.com/nodejs/node/raw/HEAD/README.md
+}
+
+awk -F'`' '/^### Release keys$/,/^<summary>Other keys used to sign some previous releases<.summary>$/{if($1 == "  ") print $2 }' "$NODEJS_README_PATH" | while read -r KEY_ID; do
+  GNUPGHOME="$GNUPGHOME" gpg --import "keys/$KEY_ID.asc"
+done
+
+cp -R "$GNUPGHOME" "$ONLY_ACTIVE_KEYS"
+
+awk -F'`' '/^<summary>Other keys used to sign some previous releases<.summary>$/,/^<.details>$/{if($1 == "  ") print $2 }' "$NODEJS_README_PATH" | while read -r OLD_KEY; do
+  GNUPGHOME="$GNUPGHOME" gpg --import "keys/$OLD_KEY.asc"
+done