How would that solve anything? If an adversary has the ability to push an update then it is game over regardless on if it is signed or unsigned because most don’t check existing keys prior to updating.

Once an adversary has gotten so deep in to your infrastructure that they can push an update the signing keys are mostly irrelevant since chances are they have those already.

If you are asking if each individual contributor should sign/publish their signatures for each update then yes, perhaps. But then which takes precedence - The org or the contributor? Which should/would you trust more and why? And can that prior trust be worth anything if/when either the org or the contributor goes rogue, is compromised, decides to push an obnoxious update or is rubber-hosed in to compliance?

F.W.I.W. the approach I take is to let others be the Alpha/Beta testers for any update and check out the various channels for abnormal reports. For High Severity issues I take a look at the mitigations sections and adopt those in a 'wait and see' approach.

I can imagine edge cases for both which leads to my conclusion that doing so is meritless unless you are considering nation state actors pushing an update but that then leads to the edge case of which update do you trust? And why do you trust that as the ground truth of good/not good?

> SHA256 checksums do not verify the authenticity of the downloaded software

Well after googling for various SHA256 sums, and seeing many results that other people have got, it is at least some peace of mind. Then you know you aren't targeted specifically. There are 'known good' hashes of things like Windows ISOs for example, so you can install a clean 'untouched' Windows that isn't trojanized or laden with malware.

I am aware that simply seeing 100s of the same sum on various sites doesn't mean the executable is 'clean', it just means you weren't MITM'd specifically and targeted with malware that is baked into the executable/ISO/installer/whatever.

I've seen those same Windows ISO sites push false 'known good' hashes and to make matters worse Microsoft makes it almost impossible to find an easy to check source on hashes unless you are downloading the U.S. version nor do they avoid so many sub-domains that you aren't really sure if it is or isn't an MS site/redirect. Foot, meet Gun.

All those links are HTTPS so you are getting a signed download. Or are you alleging that someone is MITMing your connection to the originating server?

Interesting question.

Some things to consider:

Linux and Rust and Rust use GnuPG to sign their releases. IMHO, Minisign would be better, but okey.

Both projects are very large. I wonder how they handle key distribution for the key pair that signs the release. Is the private key online or offline? How do they prevent the private key from leaking?