Sign Binary Releases For Verification?

[3knight]

Would it be possible to sign releases with, say, gpg so users can verify downloads before installing? Thanks

[hugo-sid]

Each release(GitHub release) of Hugo comes with a checksums.txt file.

Isn't that sufficient for verifying binaries?

[3knight]

No. Posting the checksums right next to the release file defeats the purpose. If someone were to upload a malicious file, what's stopping them from releasing a matching checksum file. Signing the file would require someone to have access to the signers private key + password to signing key. Only way using checksums could be reliable is if the checksum was distributed across multiple platforms, presumably each being secure, and cross checking all of them to see if they match. This is incredibly impractical, as it would have to be done with each release. Checksums confirm that the files match, not authorship.

Currently, Mac releases are not signed through Apple, so you would blindly be trusting the file. Signing it would at least allow Mac users (and other OS) the ability to verify and have confidence in bypassing Gatekeeper. Signing through Apple would be preferable for Mac users but it's not as practical as using something like GPG. Another option, and probably a better one would be to use OpenSSH and it is available, on all platforms (comes preinstalled with Mac/Windows) and in Linux/BSD repos. It's more secure then GPG AFAIK.