Open adam-wolfe opened 1 year ago
For pax it has information here: https://www.zowe.org/post_download.html?version=2.8.0 but you are right that this seems to be the only packaging that has this information.
I believe we need to plan this, probably for next PI as I am not sure we can fit it into this PI.
The associated issue within the zowe.org is here: https://github.com/zowe/zowe.github.io/issues/830
Note: Signatures must be provided for software releases to achieve the OpenSSF Best Practices Silver Badge.
According to the Zowe Release v2 GitHub action (see https://github.com/zowe/zowe-release/actions/runs/4814098720/jobs/8571411479 for an example), we are already generating hashes and signatures for release packages (see console output below). Can we post these on the Zowe downloads page along with some guidance on where users can find the public key and how they can verify the signatures?
Note that in the past, Zowe.org appears to have provided signatures and hashes along with instructions on how to verify the signatures: https://www.zowe.org/post_download