What security properties you would get with this that go install golang.org/x/vuln/cmd/govulncheck@<version-of-choice> does not provide already?

We would like to have the binaries and its checksums to use them in the environment without internet.
When we get them in our environment, we would like to check the integrity of them to be sure that they have not been corrupted.
Thanks :)

Just to make sure I understand. You would clearly get the binaries with the internet anyhow, but once you put them in your environment that has no internet connection, you'd like to check that they have not been malformed during the life span of the environment?

Yes that's right. Right now, we must compile govulncheck from the code source, make our own checksum of the binary, store it and check it after in our environment.

Since Go supports verifiable builds as of 1.21.0, you can in principle compare the binaries without storing the checksum on disk.

Either way, it seems that you have something working?

To further add, it seems to me that what you are doing is basically go install golang.org/x/vuln/cmd/govulncheck@<version> and then computing a hash of the binary. Given that Go supports verifiable builds, that is basically what we would end up doing. So the only benefit is that one can copy-paste the hashes instead of computing them, which is anyhow easy. Unless I am missing something, this is not worth doing for us.

I will leave the discussion open for a bit.

Rather than have a checksum, is it possible to have a cryptographic signature of the binaries (for example, gosec already does that: https://github.com/securego/gosec/releases/tag/v2.18.2) ?
With that, we can ensure that the code of govulncheck is the one published by google. We prefer to trust a Google signature than a human doing commands (go install ...) on his computer.

It is still not clear why not trust go install here, perhaps because you don't trust the go command or, say, GOMODPROXY?

Either way, we don't distribute binaries. Tools in golang repos also don't provide checksums/crypto signatures except for the go command. Given all of this and the fact that you already have a working solution, I am closing this issue.