The Picchu Edit Asset (https://dpel.aswf.io/aws-picchu-edit/) started adding MD5 and SHA-1 checksums of the individual downloads, so users can verify the integrity of the archives.
We should institute this universally for all assets by policy, and explore options for GitHub hosted assets such as signed release tags or artifact attestations.
The Picchu Edit Asset (https://dpel.aswf.io/aws-picchu-edit/) started adding MD5 and SHA-1 checksums of the individual downloads, so users can verify the integrity of the archives.
We should institute this universally for all assets by policy, and explore options for GitHub hosted assets such as signed release tags or artifact attestations.