Unable to Verify Signature of Version 10.23.0

[patrickbucher]

• Version: 10.23.0:
• Platform: Linux 64-bit:

What steps will reproduce the bug?

Running the following script:

#!/usr/bin/bash

curl -O https://nodejs.org/dist/v10.23.0/SHASUMS256.txt
curl -O https://nodejs.org/dist/v10.23.0/SHASUMS256.txt.sig
gpg --verify SHASUMS256.txt.sig SHASUMS256.txt

Causes this error message:

gpg: Signature made Tue 27 Oct 2020 05:02:23 PM CET
gpg: using RSA key C43CEC45C17AB93C
gpg: Can't check signature: No public key

How often does it reproduce? Is there a required condition?

It always happens

What is the expected behavior?

The verification should work.

What do you see instead?

see error message above

Additional information

The RSA key C43CEC45C17AB93C cannot be obtained through keyserver.ubuntu.com

[aduh95]

@nodejs/releasers

[richardlau]

I uploaded my key to the sks-keyservers.net pool (as per the recommendation) months ago (#34397 (review)). I have no idea if keyserver.ubuntu.com is in that pool for it to replicate across but if it isn't then you're not going to be guaranteed to find the release keys there.

FWIW I've manually sent my key to keyserver.ubuntu.com so it should be found there now.

[patrickbucher]

@richardlau Thanks, that worked fine!