Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

release: PGP-sign source and binary releases #12749

Closed
4ad opened this issue Sep 25, 2015 · 4 comments
Closed

release: PGP-sign source and binary releases #12749

4ad opened this issue Sep 25, 2015 · 4 comments
Milestone

Comments

@4ad
Copy link
Member

4ad commented Sep 25, 2015

We should sign the official releases.

@ianlancetaylor ianlancetaylor added this to the Go1.6 milestone Sep 25, 2015
@bradfitz
Copy link
Contributor

We provide the downloads' checksums over https. We can do better than SHA-1 in future releases, but signing the binaries adds little extra benefit over providing the hashes securely. We do at least already sign the OS X and Windows releases, but that's to make the operating systems happy

@adg
Copy link
Contributor

adg commented Sep 28, 2015

It's much easier to verify a hash than a PGP signature. Plus we already have an HTTPS certificate for golang.org. What's the additional value in also having a PGP key for the project?

@adg
Copy link
Contributor

adg commented Sep 28, 2015

Issue #12057 is about switching to SHA256.

@rsc
Copy link
Contributor

rsc commented Nov 5, 2015

Switching to SHA256 seems much better, and less work. Closing as dup of #12057.

@rsc rsc closed this as completed Nov 5, 2015
@golang golang locked and limited conversation to collaborators Nov 4, 2016
@rsc rsc unassigned adg Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

6 participants