diff --git a/README.md b/README.md index ecde8bfcc49..7c09eb597b6 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,12 @@ The official [MongoDB](https://www.mongodb.com/) driver for Node.js. ### Release Integrity +Releases are created automatically and signed using the [Node team's GPG key](https://pgp.mongodb.com/node-driver.asc). This applies to the git tag as well as all release packages provided as part of a GitHub release. To verify the provided packages, download the key and import it using gpg: + +```shell +gpg --import node-driver.asc +``` + The GitHub release contains a detached signature file for the NPM package (named `mongodb-X.Y.Z.tgz.sig`). @@ -39,6 +45,9 @@ To verify the integrity of the downloaded package, run the following command: gpg --verify mongodb-X.Y.Z.tgz.sig mongodb-X.Y.Z.tgz ``` +>[!Note] +No verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical. + ### Bugs / Feature Requests Think you’ve found a bug? Want to see a new feature in `node-mongodb-native`? Please open a