Post signatures and hashes for downloads on Zowe.org

[adam-wolfe]

Note: Signatures must be provided for software releases to achieve the OpenSSF Best Practices Silver Badge.

According to the Zowe Release v2 GitHub action (see https://github.com/zowe/zowe-release/actions/runs/4814098720/jobs/8571411479 for an example), we are already generating hashes and signatures for release packages (see console output below). Can we post these on the Zowe downloads page along with some guidance on where users can find the public key and how they can verify the signatures?

4s
Run GREEN='\033[0;32m'
22:58:35 [Info] [Thread 3] Uploading artifact: .release/zowe-smpe-package-2.8.0.zip.sha512
22:58:35 [Info] [Thread 9] Uploading artifact: .release/zowe_sources-2.8.0.zip
22:58:35 [Info] [Thread 0] Uploading artifact: .release/zowe-2.8.0.pax.asc
22:58:35 [Info] [Thread 1] Uploading artifact: .release/zowe-2.8.0.pax.sha512
22:58:35 [Info] [Thread 2] Uploading artifact: .release/zowe-smpe-package-2.8.0.zip.asc
22:58:35 [Info] [Thread 8] Uploading artifact: .release/zowe-cli-plugins-2.8.0.zip.asc
22:58:35 [Info] [Thread 4] Uploading artifact: .release/zowe-containerization-2.8.0.zip.asc
22:58:35 [Info] [Thread 5] Uploading artifact: .release/zowe-containerization-2.8.0.zip.sha512
22:58:35 [Info] [Thread 6] Uploading artifact: .release/zowe-cli-package-2.8.0.zip.asc
22:58:35 [Info] [Thread 7] Uploading artifact: .release/zowe-cli-package-2.8.0.zip.sha512
22:58:36 [Info] [Thread 5] Uploading artifact: .release/zowe-cli-plugins-2.8.0.zip.sha512
22:58:36 [Info] [Thread 2] Uploading artifact: .release/zowe-python-sdk-2.8.0.zip.asc
22:58:36 [Info] [Thread 4] Uploading artifact: .release/zowe-python-sdk-2.8.0.zip.sha512
22:58:36 [Info] [Thread 6] Uploading artifact: .release/zowe-nodejs-sdk-2.8.0.zip.asc
22:58:36 [Info] [Thread 0] Uploading artifact: .release/zowe-nodejs-sdk-2.8.0.zip.sha512
22:58:36 [Info] [Thread 3] Uploading artifact: .release/zowe-nodejs-sdk-typedoc-2.8.0.zip.asc
22:58:36 [Info] [Thread 1] Uploading artifact: .release/zowe-nodejs-sdk-typedoc-2.8.0.zip.sha512
22:58:36 [Info] [Thread 7] Uploading artifact: .release/zowe-PSWI-2.8.0.pax.Z.asc
22:58:36 [Info] [Thread 8] Uploading artifact: .release/zowe-PSWI-2.8.0.pax.Z.sha512
22:58:37 [Info] [Thread 5] Uploading artifact: .release/code-signing-key-info.json

Note that in the past, Zowe.org appears to have provided signatures and hashes along with instructions on how to verify the signatures: https://www.zowe.org/post_download

[balhar-jakub]

For pax it has information here: https://www.zowe.org/post_download.html?version=2.8.0
but you are right that this seems to be the only packaging that has this information.

[balhar-jakub]

I believe we need to plan this, probably for next PI as I am not sure we can fit it into this PI.

[balhar-jakub]

The associated issue within the zowe.org is here: zowe/zowe.github.io#830