Hacker News new | ask | show | jobs
by mfer 2310 days ago
It just struck me that the Go team does not provide PGP or other cryptographic signing/verification of releases.
2 comments
ing33k 2310 days ago
https://golang.org/dl/
link
mfer 2310 days ago
They have checksum hashes but not crypto verifiable signatures.
link
bradfitz 2310 days ago
$ curl https://dl.google.com/go/go1.13.4.src.tar.gz.asc

  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1
  
 
 iQIcBAABCAAGBQJdu22LAAoJEGSUxtaZfCFeXigQAKc6NflWvvbaZ6S7RCVuRNzA
  ...
link
mfer 2310 days ago
Nice. Thanks for sharing. I didn't see that documented. Would be great to have it documented.
link
shawabawa3 2310 days ago
What assurances does that give you beyond the https certificate on their official website which contains the binary downloads and hashes?
link
Groxx 2310 days ago
Defense in depth, essentially. But yes, checking site X to see if site X gave you Y correctly is rather weak confidence.

To argue in its favor tho, file-hosting and site-serving may be handled by different systems with different security characteristics, and potentially even different datacenters (e.g. a CDN). If you only have to compromise one system, it's generally easier to do so than when you have to compromise N and make them all agree with each other.

link
Thaxll 2310 days ago
The hash and file are not hosted on the same place so it's good enough.
link
mfer 2310 days ago
If a hosting server is compromised the hash and download can be changed with something nefarious. crypto signing/verification will catch that case. hash checking will not.

This is a legitimate case as it's happened to other projects in the past.

link
groobongithub 2310 days ago
The download comes from dl.google.com while the checksum is published on golang.org.

FWIW the macOS pkg you download is signed.

link