Why do some large, reputable open source projects not provide digital signatures for software downloads? I thought everyone did this now, but neither Golang or Postgres sign downloads they publish. Why not?<p>https://go.dev/dl/<p>https://www.postgresql.org/ftp/source/v15.0/<p>As counter examples, both the Linux kernel and rust sign downloads they publish:<p>https://kernel.org/<p>https://forge.rust-lang.org/infra/other-installation-methods.html#source-code<p>What is the reason that Google and Postgres have for not signing software downloads? MD5 and SHA256 checksums do not verify the authenticity of the downloaded software.
How would that solve anything? If an adversary has the ability to push an update then it is game over regardless on if it is signed or unsigned because most don’t check existing keys prior to updating.<p>Once an adversary has gotten so deep in to your infrastructure that they can push an update the signing keys are mostly irrelevant since chances are they have those already.<p>If you are asking if each individual contributor should sign/publish their signatures for each update then yes, perhaps. But then which takes precedence - The org or the contributor? Which should/would you trust more and why? And can that prior trust be worth anything if/when either the org or the contributor goes rogue, is compromised, decides to push an obnoxious update or is rubber-hosed in to compliance?<p>F.W.I.W. the approach I take is to let others be the Alpha/Beta testers for any update and check out the various channels for abnormal reports. For High Severity issues I take a look at the mitigations sections and adopt those in a 'wait and see' approach.<p>I can imagine edge cases for both which leads to my conclusion that doing so is meritless unless you are considering nation state actors pushing an update but that then leads to the edge case of which update do you trust? And why do you trust that as the ground truth of good/not good?
> SHA256 checksums do not verify the authenticity of the downloaded software<p>Well after googling for various SHA256 sums, and seeing many results that <i>other</i> people have got, it is at least some peace of mind. Then you know you aren't targeted specifically. There are 'known good' hashes of things like Windows ISOs for example, so you can install a clean 'untouched' Windows that isn't trojanized or laden with malware.<p>I am aware that simply seeing 100s of the same sum on various sites doesn't mean the executable is 'clean', it just means you weren't MITM'd specifically and targeted with malware that is baked into the executable/ISO/installer/whatever.
Interesting question.<p>Some things to consider:<p>Linux and Rust and Rust use GnuPG to sign their releases. IMHO, Minisign would be better, but okey.<p>Both projects are very large. I wonder how they handle key distribution for the key pair that signs the release. Is the private key online or offline? How do they prevent the private key from leaking?