would like to use it on macOS but noticed there are no gpg signatures on the hugo website, like open source software usually has. and so i’m doubtful there are the native macOS equivalent signatures ? am i wrong about that ?
seems weird to just download random binaries from websites and execute them, like the 90s/00s… ? it wouldn’t take long to add signatures to the build server
sure, i can build from source, but the source code is pretty big, and i don’t know if it is appropriate for a compiled language to compile without any source signatures
the world has gone kind of crazy over https, but it doesn’t really do much
Which isn’t the same as a binary signature (it’s missing the “who signed” part). If you’re paranoid, one could imagine a man in the middle attack somewhere that messed with both the binary and hash.
GoReleaser, what we use to release, supports signing archives … But that requires some work, which I/we haven’t found time to do … It requires proper signing key/certificate management to prevent man in the middle attacks on that side of the fence …
But since Hugo’s binary is distributed and built in so many channels (Brew, Snaps, Debian/Ubuntu and then some Windows) …