-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/website: link to signatures on Go releases and document how to validate #38910
Comments
For the record the public key is available at https://www.google.com/linuxrepositories/ |
The public key is not at https://www.google.com/linuxrepositories/ as noted above; the fingerprint on current signatures is gpg: using RSA key 78BD65473CB3BD13 which is none of the keys contained at that link. |
This is perhaps off-issue. But just to confirm the current Google Linux package signing keys do correctly validate the Go releases now, in contrast with @tvierling's previous report ✔️
Presumably the keys changed sometime in the past few months due to a (then-forthcoming) expiry date in July 2022:
|
On https://golang.org/dl/, there are links to each Go release, along with SHA256 checksums. However, the security of those checksums is only ensured by HTTPS. I learned recently that there are also PGP signatures for each release. So to go along with:
https://dl.google.com/go/go1.14.2.linux-amd64.tar.gz
There is also:
https://dl.google.com/go/go1.14.2.linux-amd64.tar.gz.asc
It would be great to document that fact on https://golang.org/dl/, along with instructions on how to validate the signature.
The text was updated successfully, but these errors were encountered: