You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We provide the downloads' checksums over https. We can do better than SHA-1 in future releases, but signing the binaries adds little extra benefit over providing the hashes securely. We do at least already sign the OS X and Windows releases, but that's to make the operating systems happy
It's much easier to verify a hash than a PGP signature. Plus we already have an HTTPS certificate for golang.org. What's the additional value in also having a PGP key for the project?
We should sign the official releases.
The text was updated successfully, but these errors were encountered: