From a5fb5e77c0275c08457ac1670bc0aa006acad31b Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Thu, 27 Jun 2024 18:32:58 +0200 Subject: [PATCH 1/4] docs(NODE-6233): add release integrity section --- README.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/README.md b/README.md index b7cd896..2829c3e 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,34 @@ You can install `mongodb-client-encryption` with the following: npm install mongodb-client-encryption ``` +### Release Integrity + +Releases are created automatically and signed using the [Node team's GPG key](https://pgp.mongodb.com/node-driver.asc). This applies to the git tag as well as all release packages provided as part of a GitHub release. To verify the provided packages, download the key and import it using gpg: + +``` +gpg --import node-driver.asc +``` + +The GitHub release contains a detached signature file for the NPM package (named +`mongodb-client-encryption-X.Y.Z.tgz.sig`). + +The following command returns the link npm package. +```shell +npm view mongodb-client-encryption@vX.Y.Z dist.tarball +``` + +Using the result of the above command, a `curl` command can return the official npm package for the release. + +To verify the integrity of the downloaded package, run the following command: +```shell +gpg --verify mongodb-client-encryption-X.Y.Z.tgz.sig mongodb-client-encryption-X.Y.Z.tgz +``` + +>[!Note] +No verification is done when using npm to install the package. To ensure release integrity when using npm, download the tarball manually from the GitHub release, verify the signature, then install the package from the downloaded tarball using `npm install mongodb-client-encryption-X.Y.Z.tgz`. + +To verify the native `.node` packages, follow the same steps as above using `mongodb-client-encryption-X.Y.Z-platform.tgz` and the corresponding `.sig` file. + ### Development #### Setup From d98d6e73bdfd2a934906acf91efbae755b098814 Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Thu, 27 Jun 2024 19:09:08 +0200 Subject: [PATCH 2/4] docs: update note --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2829c3e..0f70503 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ gpg --verify mongodb-client-encryption-X.Y.Z.tgz.sig mongodb-client-encryption-X ``` >[!Note] -No verification is done when using npm to install the package. To ensure release integrity when using npm, download the tarball manually from the GitHub release, verify the signature, then install the package from the downloaded tarball using `npm install mongodb-client-encryption-X.Y.Z.tgz`. +No verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical. To verify the native `.node` packages, follow the same steps as above using `mongodb-client-encryption-X.Y.Z-platform.tgz` and the corresponding `.sig` file. From 3339af152fe4020822f4d83c7065b58bd45611b8 Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Thu, 27 Jun 2024 20:33:04 +0200 Subject: [PATCH 3/4] fix: formatting --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0f70503..281dd15 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,7 @@ To verify the integrity of the downloaded package, run the following command: gpg --verify mongodb-client-encryption-X.Y.Z.tgz.sig mongodb-client-encryption-X.Y.Z.tgz ``` ->[!Note] +[!Note] No verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical. To verify the native `.node` packages, follow the same steps as above using `mongodb-client-encryption-X.Y.Z-platform.tgz` and the corresponding `.sig` file. From b10478266512116876495bfcd0ba8763b78fbcd9 Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Thu, 27 Jun 2024 20:34:48 +0200 Subject: [PATCH 4/4] Revert "fix: formatting" This reverts commit 3339af152fe4020822f4d83c7065b58bd45611b8. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 281dd15..0f70503 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,7 @@ To verify the integrity of the downloaded package, run the following command: gpg --verify mongodb-client-encryption-X.Y.Z.tgz.sig mongodb-client-encryption-X.Y.Z.tgz ``` -[!Note] +>[!Note] No verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical. To verify the native `.node` packages, follow the same steps as above using `mongodb-client-encryption-X.Y.Z-platform.tgz` and the corresponding `.sig` file.