From 5fa003651df8d19f206d11962f708bd243c62c3c Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Thu, 27 Jun 2024 18:37:27 +0200 Subject: [PATCH 1/4] docs(NODE-6238): update release integrity section --- readme.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/readme.md b/readme.md index fc7c1e4..495e75b 100644 --- a/readme.md +++ b/readme.md @@ -65,6 +65,12 @@ npm install mongodb-legacy ### Release Integrity +Releases are created automatically and signed using the [Node team's GPG key](https://pgp.mongodb.com/node-driver.asc). This applies to the git tag as well as all release packages provided as part of a GitHub release. To verify the provided packages, download the key and import it using gpg: + +``` +gpg --import node-driver.asc +``` + The GitHub release contains a detached signature file for the NPM package (named `mongodb-legacy-X.Y.Z.tgz.sig`). @@ -78,6 +84,10 @@ Using the result of the above command, a `curl` command can return the official To verify the integrity of the downloaded package, run the following command: ```shell gpg --verify mongodb-legacy-X.Y.Z.tgz.sig mongodb-legacy-X.Y.Z.tgz + +>[!Note] +No verification is done when using npm to install the package. To ensure release integrity when using npm, download the tarball manually from the GitHub release, verify the signature, then install the package from the downloaded tarball using `npm install mongodb-legacy-X.Y.Z.tgz`. + ``` ### Versioning From b85adee1bac1ad636df5f764ed3bc79394960c1b Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Thu, 27 Jun 2024 19:08:43 +0200 Subject: [PATCH 2/4] docs: update note --- readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme.md b/readme.md index 495e75b..5842283 100644 --- a/readme.md +++ b/readme.md @@ -86,7 +86,7 @@ To verify the integrity of the downloaded package, run the following command: gpg --verify mongodb-legacy-X.Y.Z.tgz.sig mongodb-legacy-X.Y.Z.tgz >[!Note] -No verification is done when using npm to install the package. To ensure release integrity when using npm, download the tarball manually from the GitHub release, verify the signature, then install the package from the downloaded tarball using `npm install mongodb-legacy-X.Y.Z.tgz`. +No verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical. ``` From 1f3010e68689cae5ffa96e7e36f3cdbe2563e369 Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Thu, 27 Jun 2024 20:32:35 +0200 Subject: [PATCH 3/4] fix: formatting --- readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme.md b/readme.md index 5842283..09dc7a1 100644 --- a/readme.md +++ b/readme.md @@ -85,7 +85,7 @@ To verify the integrity of the downloaded package, run the following command: ```shell gpg --verify mongodb-legacy-X.Y.Z.tgz.sig mongodb-legacy-X.Y.Z.tgz ->[!Note] +[!Note] No verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical. ``` From 2a9a790b8af0960f7da1539e40596690d365aa00 Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Thu, 27 Jun 2024 20:35:16 +0200 Subject: [PATCH 4/4] fix: format --- readme.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/readme.md b/readme.md index 09dc7a1..d18368d 100644 --- a/readme.md +++ b/readme.md @@ -84,8 +84,9 @@ Using the result of the above command, a `curl` command can return the official To verify the integrity of the downloaded package, run the following command: ```shell gpg --verify mongodb-legacy-X.Y.Z.tgz.sig mongodb-legacy-X.Y.Z.tgz +``` -[!Note] +>[!Note] No verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical. ```