Tracking: Upstream .asc signature documentation and stability (golang/go#38910)

[jcsxdev]

This issue tracks the upstream discussion in golang/go#38910 regarding the existence, documentation, and long‑term stability of detached .asc signatures for official Go release artifacts.

Although .asc signature files are published alongside Go release tarballs, the Go project does not currently provide:

• an official GPG verification workflow
• a stable or authoritative public key reference
• guarantees around key rotation, expiration, or continuity
• documentation explaining how .asc signatures should be validated

As noted in the upstream issue, this leads to:

• lack of official guidance on verifying .asc signatures
• unclear or shifting public key sources
• silent key rotation and expiration events
• reliance on HTTPS alone for checksum authenticity

Because of these limitations, letsgolang does not rely on upstream .asc signatures when validating Go releases. Instead, it enforces HTTPS constraints and verifies downloaded artifacts against the official SHA‑256 checksums published on go.dev.

This issue will remain open to track upstream changes. If the Go project eventually documents and supports a stable, official signature verification process, we may revisit and update letsgolang’s verification model accordingly.