I don’t really know where to put this request so I’m putting it here.
Could the packeges and source code on github be signed with pgp or signify?
For example hugo_0.161.1_darwin-universal.pkg or hugo_0.161.1_linux-arm64.deb?
Moreover I imagine that dockerfile might also be signed and maybe even the packages listed on other platforms?
That package is signed and (Apple) notarized.
As to your bigger question: There’s no short term plan to “sign every asset” we release.
Thanks for taking the time to reply @bep
aha ok, well I’m not to familiar with how apple does stuff.
I’m quite sure the Linux binaries aren’t signed though, is there any particular reason you wouldn’t want to do this?
I certainly want to do this. Our current release tools currently doesn’t support it (it’s self built, so we could certainly fix that), but even if that was in place, it’s still a fair amount of work setting this up across all builds and archives.
I see, you’ll get around to it whenever you have have the time.
takk, @bep 
I would also like to see your packages signed with pgp even if its just a clear sign message of the expected checksum hashes in the release notes that would be fine.
Currently all a malicious adversary would have to do is compromise your github account and post a malicious release if the checksums were pgp signed they would also need to hack your machine which is a much steeper feat.
Pgp signing the release would attest that the code is safe and not compromised to the best of your knowledge.