AdamKorcz
commented
9 months ago This might be a feature, since it is an improvement to a Scorecard check.
Open AdamKorcz opened 9 months ago
AdamKorcz
commented
9 months ago This might be a feature, since it is an improvement to a Scorecard check.
spencerschrock
commented
9 months ago This eliminates the ability for an attacker to upload invalid signature files with releases and still claim a top score from Scorecard.
Note: Scorecard often takes the thread model of "maintainers are unaware of best practices, not gaming the score".
github-actions[bot]
commented
7 months ago This issue is stale because it has been open for 60 days with no activity.
Currently, the signed releases check determines whether a project signs releases based on the file extensions found among the assets in releases. Ideally, Scorecard could verify the assets against the signatures to ensure that releases are actually signed. This eliminates the ability for an attacker to upload invalid signature files with releases and still claim a top score from Scorecard.