## Problem This repo is no longer aligned with recommendations from [node > README > Verifying binaries](https://github.com/nodejs/node/blob/main/README.md#verifying-binaries) which now specifies using https://github.com/nodejs/release-keys/raw/HEAD/gpg/pubring.kbx Disadvantages of current method: - Individual keys need to be maintained in this repo - Both `hkps://keys.openpgp.org` and `keyserver.ubuntu.com` key servers needs to be polled - Previous keys in `hkps://keys.openpgp.org` where the key signer has moved to a new key, are effectively disabled if the same e-mail address is used (see [Can I verify more than one key for some email address?](https://keys.openpgp.org/about/faq#verify-multiple)) ## Solution Migrate from current Node.js image verification with locally stored individual PGP keys to instead use a keyring from https://github.com/nodejs/release-keys. Depending on the need for reproducibility, the keyring could either be copied and stored, or the online version on https://github.com/nodejs/release-keys could be used. ## Alternatives to Consider - No change. In that case keys still need to be manually maintained here.