From 41f0a2baf6be9660c75a0fa0118fc591bb4ad2ef Mon Sep 17 00:00:00 2001
From: Durran Jordan <durran@gmail.com>
Date: Thu, 27 Jun 2024 20:39:24 +0200
Subject: [PATCH] docs(NODE-6238): update release integrity section (#41)

---
 readme.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/readme.md b/readme.md
index fc7c1e4..d18368d 100644
--- a/readme.md
+++ b/readme.md
@@ -65,6 +65,12 @@ npm install mongodb-legacy
 	
 ### Release Integrity
 
+Releases are created automatically and signed using the [Node team's GPG key](https://pgp.mongodb.com/node-driver.asc). This applies to the git tag as well as all release packages provided as part of a GitHub release. To verify the provided packages, download the key and import it using gpg:
+
+```
+gpg --import node-driver.asc
+```
+
 The GitHub release contains a detached signature file for the NPM package (named
 `mongodb-legacy-X.Y.Z.tgz.sig`).
 
@@ -80,6 +86,11 @@ To verify the integrity of the downloaded package, run the following command:
 gpg --verify mongodb-legacy-X.Y.Z.tgz.sig mongodb-legacy-X.Y.Z.tgz
 ```
 
+>[!Note]
+No verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical.
+
+```
+
 ### Versioning
 
 We recommend replacing your `mongodb` dependency with this one.