To verify a SHASUM256.txt.asc, you will first need to import all of
the GPG keys of individuals authorized to create releases. They are
-listed at the bottom of this README. Use a command such as this to
-import the keys:
+listed at the bottom of this README under [Release Team](#release-team).
+Use a command such as this to import the keys:
```
$ gpg --keyserver pool.sks-keyservers.net \
--recv-keys DD8F2338BAE7501E3DD5AC78C273792F7D83545D
```
-_(Include each of the key fingerprints at the end of this command.)_
+_(See the bottom of this README for a full script to import active
+release keys)_
You can then use `gpg --verify SHASUMS256.txt.asc` to verify that the
file has been signed by an authorized member of the Node.js team.
information about the governance of the Node.js project, see
[GOVERNANCE.md](./GOVERNANCE.md).
-=======
### TSC (Technical Steering Committee)
* **Ben Noordhuis** <info@bnoordhuis.nl> ([@bnoordhuis](https://github.com/bnoordhuis))
* **Fedor Indutny** <fedor.indutny@gmail.com> ([@indutny](https://github.com/indutny))
* **Trevor Norris** <trev.norris@gmail.com> ([@trevnorris](https://github.com/trevnorris))
* **Chris Dickinson** <christopher.s.dickinson@gmail.com> ([@chrisdickinson](https://github.com/chrisdickinson))
- - Release GPG key: 9554F04D7259F04124DE6B476D5A82AC7E37093B
* **Rod Vagg** <rod@vagg.org> ([@rvagg](https://github.com/rvagg))
- - Release GPG key: DD8F2338BAE7501E3DD5AC78C273792F7D83545D
* **Jeremiah Senkpiel** <fishrock123@rocketmail.com> ([@fishrock123](https://github.com/fishrock123))
- - Release GPG key: FD3A5288F042B6850C66B31F09FE44734EB7990E
* **Colin Ihrig** <cjihrig@gmail.com> ([@cjihrig](https://github.com/cjihrig))
- - Release GPG key: 94AE36675C464D64BAFA68DD7434390BDBE9B9C5
* **Alexis Campailla** <orangemocha@nodejs.org> ([@orangemocha](https://github.com/orangemocha))
* **Julien Gilli** <jgilli@nodejs.org> ([@misterdjules](https://github.com/misterdjules))
* **James M Snell** <jasnell@gmail.com> ([@jasnell](https://github.com/jasnell))
Collaborators & TSC members follow the [COLLABORATOR_GUIDE.md](./COLLABORATOR_GUIDE.md) in
maintaining the Node.js project.
+
+### Release Team
+
+Releases of Node.js and io.js will be signed with one of the following GPG keys:
+
+* **Chris Dickinson** <christopher.s.dickinson@gmail.com>: `9554F04D7259F04124DE6B476D5A82AC7E37093B`
+* **Colin Ihrig** <cjihrig@gmail.com> `94AE36675C464D64BAFA68DD7434390BDBE9B9C5`
+* **Jeremiah Senkpiel** <fishrock@keybase.io> `FD3A5288F042B6850C66B31F09FE44734EB7990E`
+* **Rod Vagg** <rod@vagg.org> `DD8F2338BAE7501E3DD5AC78C273792F7D83545D`
+
+The full set of trusted release keys can be imported by running:
+
+```
+gpg --keyserver pool.sks-keyservers.net --recv-keys 9554F04D7259F04124DE6B476D5A82AC7E37093B
+gpg --keyserver pool.sks-keyservers.net --recv-keys 94AE36675C464D64BAFA68DD7434390BDBE9B9C5
+gpg --keyserver pool.sks-keyservers.net --recv-keys FD3A5288F042B6850C66B31F09FE44734EB7990E
+gpg --keyserver pool.sks-keyservers.net --recv-keys DD8F2338BAE7501E3DD5AC78C273792F7D83545D
+```
+
+See the section above on [Verifying Binaries](#verifying-binaries) for
+details on what to do with these keys to verify a downloaded file is official.
+
+Previous releases of Node.js have been signed with one of the following GPG
+keys:
+
+* Julien Gilli <jgilli@fastmail.fm> `114F43EE0176B71C7BC219DD50A3051F888C628D`
+* Timothy J Fontaine <tjfontaine@gmail.com> `7937DFD2AB06298B2293C3187D33FF9D0246406D`
+* Isaac Z. Schlueter <i@izs.me> `93C7E9E91B49E432C2F75674B0A78B0A6C481CF6`