docs(NODE-6234): update release integrity section (#4162)

durran · web-flow · commit cb199cee3b4d · 2024-06-28T12:55:57.000-04:00
diff --git a/README.md b/README.md
@@ -24,6 +24,12 @@ The official [MongoDB](https://www.mongodb.com/) driver for Node.js.
 
 ### Release Integrity
 
+Releases are created automatically and signed using the [Node team's GPG key](https://pgp.mongodb.com/node-driver.asc). This applies to the git tag as well as all release packages provided as part of a GitHub release. To verify the provided packages, download the key and import it using gpg:
+
+```shell
+gpg --import node-driver.asc
+```
+
 The GitHub release contains a detached signature file for the NPM package (named
 `mongodb-X.Y.Z.tgz.sig`).
 
@@ -39,6 +45,9 @@ To verify the integrity of the downloaded package, run the following command:
 gpg --verify mongodb-X.Y.Z.tgz.sig mongodb-X.Y.Z.tgz
 ```
 
+>[!Note]
+No verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical.
+
 ### Bugs / Feature Requests
 
 Think you’ve found a bug? Want to see a new feature in `node-mongodb-native`? Please open a
