Investigate: OpenSSF Best Practices Badges - Check if dockerhub and Git cryptographically signs our releases

[FredFousPro]

In order to fully validate the silver level of OpenSSF Best Practices Badges for our project and for security reasons, we have to check if dockerhub and Git cryptographically signs our releases.

Here are the requirement to meet: The project MUST cryptographically sign releases of the project results intended for widespread use, and there MUST be a documented process explaining to users how they can obtain the public signing keys and verify the signature(s). The private key for these signature(s) MUST NOT be on site(s) used to directly distribute the software to the public. If releases are not intended for widespread use, select "not applicable" (N/A). [signed_releases] The project results include both source code and any generated deliverables where applicable (e.g., executables, packages, and containers). Generated deliverables MAY be signed separately from source code. These MAY be implemented as signed git tags (using cryptographic digital signatures). Projects MAY provide generated results separately from tools like git, but in those cases, the separate results MUST be separately signed.

It is SUGGESTED that in the version control system, each important version tag (a tag that is part of a major release, minor release, or fixes publicly noted vulnerabilities) be cryptographically signed and verifiable as described in signed_releases. [version_tags_signed]

Here is the questionnaire : https://bestpractices.coreinfrastructure.org/en/projects/5925?criteria_level=1

If it is a small issue; fix directly, if this is more work; create new Github issues.

[Sander3003]

Todo: build infrastructure make it work

[Sander3003]

@pascalwilbrink : We can generate checksums / sha's automatically via a GH action:

https://github.com/marketplace/actions/generate-checksum