zowe / zowe-explorer-vscode

Visual Studio Code Extension for Zowe, which lets users interact with z/OS Data Sets, Unix System Services, and Jobs on a remote mainframe instance. Powered by Zowe SDKs.
Eclipse Public License 2.0
173 stars 92 forks source link

Feature Request New Release Code Signing #3171

Open savaresejt opened 1 month ago

savaresejt commented 1 month ago

Is your feature request related to a problem? Please describe.

Our security scanning software keeps needing to have exceptions put in place for new releases. Would it be possible for IBM to sign new releases of the software so that we can trust it?

Describe the solution you'd like

IBM signs the releases so that we can install it and not have to modify exceptions when updates are made,

Describe alternatives you've considered

We can continue adding exceptions, but it's costly and disruptive.

Additional context

Some enterprise grade software that blocks executables unless they're trusting keeps flagging this as malicious software. It would be nice if IBM signed the code so that we can trust it.

github-actions[bot] commented 1 month ago

Thank you for raising this enhancement request. The community has 90 days to vote on it. If the enhancement receives at least 10 upvotes, it is added to our development backlog. If it receives fewer votes, the issue is closed.

JTonda commented 1 month ago

Planning to add to next quarters commitments. @JillieBeanSim

t1m0thyj commented 3 weeks ago

Other Zowe projects are using Sigstore to sign their release artifacts. Discussed with @MarkAckert and more research is needed because:

a. there's no way to distribute sigstore materials with the marketplace or embed them in the app as far as I know b. the security scanning software the user has must be sigstore compatible to verify the signatures, which it likely isn't