Information
Validate artifacts signatures before uploading to the package registry.
Rationale:
Cryptographic signature is a tool to verify artifact authenticity. Every artifact is supposed to be signed by its creator in order to verify that it wasn't compromised until it got to the client. Validating artifact signature before delivering it is another level of protection, which checks that the signature hasn't been changed, which means that no one tried or succeeded in tampering with the artifact. That sets trust between the supplier and the client.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Validate every artifact with its signature. It is recommended to do so automatically.