Open savaresejt opened 1 month ago
Thank you for raising this enhancement request. The community has 90 days to vote on it. If the enhancement receives at least 10 upvotes, it is added to our development backlog. If it receives fewer votes, the issue is closed.
Planning to add to next quarters commitments. @JillieBeanSim
Other Zowe projects are using Sigstore to sign their release artifacts. Discussed with @MarkAckert and more research is needed because:
a. there's no way to distribute sigstore materials with the marketplace or embed them in the app as far as I know b. the security scanning software the user has must be sigstore compatible to verify the signatures, which it likely isn't
Is your feature request related to a problem? Please describe.
Our security scanning software keeps needing to have exceptions put in place for new releases. Would it be possible for IBM to sign new releases of the software so that we can trust it?
Describe the solution you'd like
IBM signs the releases so that we can install it and not have to modify exceptions when updates are made,
Describe alternatives you've considered
We can continue adding exceptions, but it's costly and disruptive.
Additional context
Some enterprise grade software that blocks executables unless they're trusting keeps flagging this as malicious software. It would be nice if IBM signed the code so that we can trust it.