PS.2.1: Make software integrity verification information available to software acquirers.
Example 1: Post cryptographic hashes for release files on a well-secured website.
Example 2: Use an established certificate authority for code signing so that consumers’ operating systems or other tools and services can confirm the validity of signatures before use.
Example 3: Periodically review the code signing processes, including certificate renewal, rotation, revocation, and protection.
Description
Make software integrity verification information available to software acquirers.