one for Go binaries, so that others can build binaries themself, verify hashes are identical, and sign the file,
one for saved Docker containers, which cannot be independently verified, while it'll be nice to have a way to independently verify hash of downloaded file.
Ideally:
Probably useful: https://github.com/spencerdcarlson/sdc-tutorials/wiki/GnuPG-Signing-&-Checksums