Unsure how to satisfy signed release criteria #4738
Description
My project is currently getting a 6/10 for signed releases, with warnings along the following lines:
Warn: release artifact release-34.1.0 does not have provenance: https://api.github.com/repos/ag-grid/ag-grid/releases/235923008
I've followed the instructions here: https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#signed-releases and none of the changes I've tried seem to satify the scorecard scanning.
I'm actually unsure what asset actually is missing a signature - I thought it would be the tar.gz and have downloaded, signed and uploaded the resulting file as respectively ag-grid-release-34.1.0.tar.gz.asc (the default download name), release-34.1.0.tar.gz.asc and even release-34.1.0.tar.gz.sig
Any assistance as to what I actually need to sign and upload would be appreciated