Hugo

Cryptographic signatures for macOS?

hi

tried out hugo recently and was impressed

would like to use it on macOS but noticed there are no gpg signatures on the hugo website, like open source software usually has. and so i’m doubtful there are the native macOS equivalent signatures ? am i wrong about that ?

seems weird to just download random binaries from websites and execute them, like the 90s/00s… ? it wouldn’t take long to add signatures to the build server

sure, i can build from source, but the source code is pretty big, and i don’t know if it is appropriate for a compiled language to compile without any source signatures

the world has gone kind of crazy over https, but it doesn’t really do much

If you install using homebrew, then it checks a hash (though I don’t know when/who calculates it).

For Homebrew that is the SHA256 of GitHub’s source archive. For Hugo’s binary releases there are checksums in https://github.com/gohugoio/hugo/releases/download/v0.61.0/hugo_0.61.0_checksums.txt

Which isn’t the same as a binary signature (it’s missing the “who signed” part). If you’re paranoid, one could imagine a man in the middle attack somewhere that messed with both the binary and hash.

GoReleaser, what we use to release, supports signing archives … But that requires some work, which I/we haven’t found time to do … It requires proper signing key/certificate management to prevent man in the middle attacks on that side of the fence …

But since Hugo’s binary is distributed and built in so many channels (Brew, Snaps, Debian/Ubuntu and then some Windows) …

1 Like