CII Silver and Gold badges require all release artifacts be cryptographically signed.
The project MUST cryptographically sign releases of the project results intended for widespread use, and there MUST be a documented process explaining to users how they can obtain the public signing keys and verify the signature(s). The private key for these signature(s) MUST NOT be on site(s) used to directly distribute the software to the public.
In the OpenDaylight project, project artifacts are signed by a release engineer. The release process is described here:
https://docs.opendaylight.org/en/latest/release-process/project-release.html
A project produces a staging repository in Nexus. When the project is ready to release they contact the ODL Helpdesk with the staging repo and version of the software they wish to release. Helpdesk then performs the following:
1. Takes the staging repo and signs all the artifacts in there producing a 2nd staging repo containing the signatures
2. Release both the artifact and signatures to the release repository.