Closed flavio closed 1 year ago
This check looks for the following filenames in the project's last five [release assets](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases): [*.minisig](https://github.com/jedisct1/minisign), *.asc (pgp), *.sig, *.sign, [*.intoto.jsonl](https://github.com/ossf/scorecard/blob/main/docs/slsa.dev).
It can't find the signatures because they are inside a zip file. Should we keep the releases for aarch64
and x86_64
inside zip files, and just leave the sbom outside? Like we do for kwctl
This would fix this issue as CLOMonitor would find the .sig for the sbom
Let's leave the signature files outside of the zip
CLOmonitor complains that policy-server releases are not signed. We are signing our releases, but for some reason CLOmonitor is not detecting that.
See https://clomonitor.io/projects/cncf/kubewarden#policy-server_security