x/website: link to signatures on Go releases and document how to validate

[jsha]

On https://golang.org/dl/, there are links to each Go release, along with SHA256 checksums. However, the security of those checksums is only ensured by HTTPS. I learned recently that there are also PGP signatures for each release. So to go along with:

https://dl.google.com/go/go1.14.2.linux-amd64.tar.gz

There is also:

https://dl.google.com/go/go1.14.2.linux-amd64.tar.gz.asc

It would be great to document that fact on https://golang.org/dl/, along with instructions on how to validate the signature.

[FiloSottile]

For the record the public key is available at https://www.google.com/linuxrepositories/

[toothrot]

/cc @dmitshur @cnoellekb @andybons

[tvierling]

The public key is not at https://www.google.com/linuxrepositories/ as noted above; the fingerprint on current signatures is

gpg: using RSA key 78BD65473CB3BD13

which is none of the keys contained at that link.

[StevenMaude]

This is perhaps off-issue. But just to confirm the current Google Linux package signing keys do correctly validate the Go releases now, in contrast with @tvierling's previous report ✔️

$ gpg --verify go1.18.3.linux-amd64.tar.gz.asc 
gpg: assuming signed data in 'go1.18.3.linux-amd64.tar.gz'
gpg: Signature made Wed 01 Jun 2022 21:16:43 BST
gpg:                using RSA key 78BD65473CB3BD13
gpg: Can't check signature: No public key

$ gpg --verify go1.18.4.linux-amd64.tar.gz.asc 
gpg: assuming signed data in 'go1.18.4.linux-amd64.tar.gz'
gpg: Signature made Tue 12 Jul 2022 19:31:37 BST
gpg:                using RSA key 4EB27DB2A3B88B8B
gpg: Can't check signature: No public key

$ gpg --import linux_signing_key.pub 
gpg: key A040830F7FAC5991: public key "Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>" imported
gpg: key 7721F63BD38B4796: 1 signature not checked due to a missing key
gpg: key 7721F63BD38B4796: public key "Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>" imported
gpg: Total number processed: 2
gpg:               imported: 2
…

$ gpg --verify go1.18.3.linux-amd64.tar.gz.asc 
gpg: assuming signed data in 'go1.18.3.linux-amd64.tar.gz'
gpg: Signature made Wed 01 Jun 2022 21:16:43 BST
gpg:                using RSA key 78BD65473CB3BD13
gpg: Good signature from "Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
     Subkey fingerprint: 2F52 8D36 D67B 69ED F998  D857 78BD 6547 3CB3 BD13

$ gpg --verify go1.18.4.linux-amd64.tar.gz.asc 
gpg: assuming signed data in 'go1.18.4.linux-amd64.tar.gz'
gpg: Signature made Tue 12 Jul 2022 19:31:37 BST
gpg:                using RSA key 4EB27DB2A3B88B8B
gpg: Good signature from "Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
     Subkey fingerprint: 8461 EFA0 E74A BAE0 10DE  6699 4EB2 7DB2 A3B8 8B8B

Presumably the keys changed sometime in the past few months due to a (then-forthcoming) expiry date in July 2022:

$ gpg linux_signing_key.pub 
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   dsa1024 2007-03-08 [SC]
      4CCA1EAF950CEE4AB83976DCA040830F7FAC5991
uid           Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub   elg2048 2007-03-08 [E]
pub   rsa4096 2016-04-12 [SC]
      EB4C1BFD4F042F6DDDCCEC917721F63BD38B4796
uid           Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub   rsa4096 2016-04-12 [S] [expired: 2019-04-12]
sub   rsa4096 2017-01-24 [S] [expired: 2020-01-24]
sub   rsa4096 2019-07-22 [S] [expired: 2022-07-21]
sub   rsa4096 2021-10-26 [S] [expires: 2024-10-25]