We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation .
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Would it be possible to sign releases with, say, gpg so users can verify downloads before installing? Thanks
The text was updated successfully, but these errors were encountered:
Each release(GitHub release) of Hugo comes with a checksums.txt file.
Isn't that sufficient for verifying binaries?
Sorry, something went wrong.
No. Posting the checksums right next to the release file defeats the purpose. If someone were to upload a malicious file, what's stopping them from releasing a matching checksum file. Signing the file would require someone to have access to the signers private key + password to signing key. Only way using checksums could be reliable is if the checksum was distributed across multiple platforms, presumably each being secure, and cross checking all of them to see if they match. This is incredibly impractical, as it would have to be done with each release. Checksums confirm that the files match, not authorship.
Currently, Mac releases are not signed through Apple, so you would blindly be trusting the file. Signing it would at least allow Mac users (and other OS) the ability to verify and have confidence in bypassing Gatekeeper. Signing through Apple would be preferable for Mac users but it's not as practical as using something like GPG. Another option, and probably a better one would be to use OpenSSH and it is available, on all platforms (comes preinstalled with Mac/Windows) and in Linux/BSD repos. It's more secure then GPG AFAIK.
No branches or pull requests