Why do some large, reputable open source projects not provide digital signatures for software downloads? I thought everyone did this now, but neither Golang or Postgres sign downloads they publish. Why not?
https://go.dev/dl/
https://www.postgresql.org/ftp/source/v15.0/
As counter examples, both the Linux kernel and rust sign downloads they publish:
https://kernel.org/
https://forge.rust-lang.org/infra/other-installation-methods.html#source-code
What is the reason that Google and Postgres have for not signing software downloads? MD5 and SHA256 checksums do not verify the authenticity of the downloaded software.