From c1fce1eeb1cdd9c118b5e51ba74ee90b720c80b7 Mon Sep 17 00:00:00 2001
From: Jon Moss <me@jonathanmoss.me>
Date: Wed, 30 Aug 2017 20:05:39 -0400
Subject: doc: update README with SHASUMS256.txt.sig info

It is more secure to verify SHASUMS256.txt files via SHASUMS256.txt.sig
than SHASUMS256.txt.asc.

This comment does the best job at explaining the issue:
  https://github.com/nodejs/node/issues/6821#issuecomment-220033176

Refer: https://github.com/nodejs/node/issues/6821
Refer: https://github.com/nodejs/node/issues/9071
PR-URL: https://github.com/nodejs/node/pull/15107
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
---
 README.md | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

(limited to 'README.md')

diff --git a/README.md b/README.md
index 06561cd279..0d03168c54 100644
--- a/README.md
+++ b/README.md
@@ -134,12 +134,12 @@ $ grep node-vx.y.z.tar.gz SHASUMS256.txt | sha256sum -c -
 _(Where "node-vx.y.z.tar.gz" is the name of the file you have
 downloaded)_
 
-Additionally, Current and LTS releases (not Nightlies) have GPG signed
-copies of SHASUMS256.txt files available as SHASUMS256.txt.asc. You can use
-`gpg` to verify that the file has not been tampered with.
+Additionally, Current and LTS releases (not Nightlies) have the GPG
+detached signature of SHASUMS256.txt available as SHASUMS256.txt.sig.
+You can use `gpg` to verify that SHASUMS256.txt has not been tampered with.
 
-To verify a SHASUMS256.txt.asc, you will first need to import all of
-the GPG keys of individuals authorized to create releases. They are
+To verify SHASUMS256.txt has not been altered, you will first need to import
+all of the GPG keys of individuals authorized to create releases. They are
 listed at the bottom of this README under [Release Team](#release-team).
 Use a command such as this to import the keys:
 
@@ -150,10 +150,17 @@ $ gpg --keyserver pool.sks-keyservers.net --recv-keys DD8F2338BAE7501E3DD5AC78C2
 _(See the bottom of this README for a full script to import active
 release keys)_
 
-You can then use `gpg --verify SHASUMS256.txt.asc` to verify that the
-file has been signed by an authorized member of the Node.js team.
+Next, download the SHASUMS256.txt.sig for the release:
 
-Once verified, use the SHASUMS256.txt.asc file to get the checksum for
+```console
+$ curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt.sig
+```
+
+After downloading the appropriate SHASUMS256.txt and SHASUMS256.txt.sig files,
+you can then use `gpg --verify SHASUMS256.txt.sig SHASUMS256.txt` to verify
+that the file has been signed by an authorized member of the Node.js team.
+
+Once verified, use the SHASUMS256.txt file to get the checksum for
 the binary verification command above.
 
 ## Building Node.js
-- 
cgit v1.2.3