raulcabello
commented
1 year ago This check looks for the following filenames in the project's last five [release assets](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases): [*.minisig](https://github.com/jedisct1/minisign), *.asc (pgp), *.sig, *.sign, [*.intoto.jsonl](https://github.com/ossf/scorecard/blob/main/docs/slsa.dev).It can't find the signatures because they are inside a zip file. Should we keep the releases for aarch64 and x86_64 inside zip files, and just leave the sbom outside? Like we do for kwctl
This would fix this issue as CLOMonitor would find the .sig for the sbom
flavio
CLOmonitor complains that policy-server releases are not signed. We are signing our releases, but for some reason CLOmonitor is not detecting that.
See https://clomonitor.io/projects/cncf/kubewarden#policy-server_security