tools: verify with gpg if md5 is not present in update-icu

[islandryu]

Fix: #50498

The problem may be that md5 is not present in the icu, but even in such a case, I used .asc to pass the validation.

If the absence of md5 is clearly an icu issue, this PR will be closed.

[nodejs-github-bot]

Review requested:

• [ ] @nodejs/security-wg

[targos]

We need to decide what to do with https://github.com/nodejs/node/blob/main/tools/icu/current_ver.dep if we can't use md5 anymore (I don't know what's the purpose of that file)

[richardlau]

We need to decide what to do with https://github.com/nodejs/node/blob/main/tools/icu/current_ver.dep if we can't use md5 anymore (I don't know what's the purpose of that file)

It's used to validate ICU downloads if configure is run with --with-icu-source with a URL. https://github.com/nodejs/node/blob/a037b885610bac091b4ef4bcbf93acca039bce0d/BUILDING.md?plain=1#L778-L782 https://github.com/nodejs/node/blob/a037b885610bac091b4ef4bcbf93acca039bce0d/configure.py#L1646-L1679

[islandryu]

It's used to validate ICU downloads if configure is run with --with-icu-source with a URL.

If we're going to verify it based on .asc, we're going to need a dedicated process at the point you indicated.

I think it would be good to save the public key and signature information in current_ver.dep or a separate file and verify it as well as md5.

[bnoordhuis]

cc @srl295 in case you missed this pull request

[srl295]

cc @srl295 in case you missed this pull request

I missed it, but it's fixed upstream

[aduh95]

This needs a rebase.

[islandryu]

The rebase is done.

[srl295]

Absence of md5 is an ICU issue and was fixed, However verifying with gpg is not a bad idea.