Check whether the detached signature file meets the OpenSSF Scorecard check criteria or not

[FeynmanZhou]

What is not working as expected?

CNCF provides a tool Clomonitor to run OpenSSF Security Best Practice checks on CNCF projects. There is a signing related check that has not been passed in the security check items. See https://clomonitor.io/projects/cncf/notary#notation_security.

According to OpenSSF Scorecard signing check criteria, only these signature file formats *.asc (pgp), *.sig, *.sign, *.sigstore, [*.intoto.jsonl](https://slsa.dev/) could be detected by OpenSSF Scorecard check tool.

According to our current design and spec, Notation blog signing generates the signatures using .sig.jws and .sig.cose file format. We need to check whether these detached signature file meets the OpenSSF Scorecard check criteria or not.

What did you expect to happen?

OpenSSF Security Best Practice check on the signing part should be passed after the Notation release assets are signed by Notation. Notary Project signature file should meet the OpenSSF Scorecard OpenSSF Scorecard signing check criteria.

How can we reproduce it?

See https://clomonitor.io/projects/cncf/notary#notation_security.

Describe your environment

N/A

What is the version of your Notation CLI or Notation Library?

v1.1.1

[github-actions]

This issue is stale because it has been opened for 60 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days.

Since *.sig is an accepted file format, can we switch to *.<signature_env_format>.sig? (currently, we have *.sig.<signature_env_format>)