docs(NODE-6235): update release integrity section

durran · durran · commit 2a230935b16a · 2024-06-27T18:22:31.000+02:00
diff --git a/README.md b/README.md
@@ -14,6 +14,12 @@ You can learn more about it in [the specification](http://bsonspec.org).
 
 ### Release Integrity
 
+Releases are created automatically and signed using the [Node team's GPG key](https://pgp.mongodb.com/node-driver.asc). This applies to the git tag as well as all release packages provided as part of a GitHub release. To verify the provided packages, download the key and import it using gpg:
+
+```shell
+gpg --import node-driver.asc
+```
+
 The GitHub release contains a detached signature file for the NPM package (named
 `bson-X.Y.Z.tgz.sig`).
 
@@ -29,6 +35,8 @@ To verify the integrity of the downloaded package, run the following command:
 gpg --verify bson-X.Y.Z.tgz.sig bson-X.Y.Z.tgz
 ```
 
+>[!Note]
+No verification is done when using npm to install the package. To ensure release integrity when using npm, download the tarball manually from the GitHub release, verify the signature, then install the package from the downloaded tarball using `npm install bson-X.Y.Z.tgz`.
 
 ## Bugs / Feature Requests
 
