There is no central repository yet, but note that the module support is still experimental in Go 1.12. It will be enabled by default in Go 1.13 (scheduled for August 2019).
Check out The Go Blog: Go Modules in 2019.
For publicly-available modules, we intend to run a service we call a notary that follows the module index log, downloads new modules, and cryptographically signs statements of the form “module M at version V has file tree hash H.” The notary service will publish all these notarized hashes in a queryable, Certificate Transparency-style tamper-proof log, so that anyone can verify that the notary is behaving correctly. This log will serve as a public, global
go getcan use to authenticate modules when adding or updating dependencies.
We are aiming to have the go command check notarized hashes for publicly-available modules not already in
go.sumstarting in Go 1.13.
Finally, we mentioned earlier that the module index will make it easier to build sites like godoc.org. Part of our work in 2019 will be a major revamp of godoc.org to make it more useful for developers who need to discover available modules and then decide whether to rely on a given module or not.
This diagram shows how module source code moves through the design in this post.