Offer link to download PGP signing key on your website

[bnvk]

There is a SHASUM256.txt.asc in your "Other Dowloads" section and the README says to verify the GPG signing using the following key:

$ gpg --keyserver pool.sks-keyservers.net --recv-keys DD8F2338BAE7501E3DD5AC78C273792F7D83545D

However, that key belongs to "Rod Vagg [email protected]" and in no way appears to be linked to Node JS. It would be more desirable that the nodejs.org website to:

• Offer downloading of the proper signing key served (over HTTPS) from the nodejs.org website
• Have a key which has UIDs (email + name) associated with Node.js in it as the signing key

[rvagg]

Please scroll to the bottom of of the README to see the list of authorized releasers of the project, you'll need to fetch all of their keys because releases can be signed by different individuals. The authority of the GitHub README is the only authority you need to verify the link between those keys and the signed SHASUMS256.txt. Offering the keys via nodejs.org, the same place as you're getting SHASUMS256.txt, seems a little redundant to me, just make sure you're using https to access nodejs.org (we haven't yet disabled the http variant) and cross-reference with the GitHub README.

The only actionable item I can see here is that we may need a link from the downloads page to the section of the README that has the information about verifying binaries.