OpenSSF Best Practices: Provide signatures for Zowe.org downloads

[adam-wolfe]

Is your feature or enhancement request related to a problem or limitation? Please describe

The OpenSSF Best Practices Silver Badge requires that we publish cryptographic signatures for releases intended for widespread use along with instructions for verifying the signatures. Some of this infrastructure already exists in the Zowe jfrog repository, however signatures and signature instructions are only visible for the Zowe PAX file download.

Describe your enhancement idea

Zowe.org, managed by the Onboarding Squad, should be changed to show signature downloads and verification instructions for Zowe CLI similar to what is shown for the PAX file download. The CLI Squad should ensure that this change is implemented with reasonable urgency.

[github-actions]

Thank you for raising this enhancement request.
The community has 90 days to vote on it.
If the enhancement receives at least 5 upvotes, it is added to our development backlog.
If it receives fewer votes, the issue is closed.

[t1m0thyj]

Some of this infrastructure already exists in the Zowe jfrog repository

Here's an example of signatures we could link to that already exist (.asc and .sha512 files): https://zowe.jfrog.io/artifactory/libs-release-local/org/zowe/2.9.0/

[zFernand0]

Is this related to the issue below?

• Provide a way to perform zowe plugin verify plugin-name or equivalent to assure the provenance of installed software #1326