Embed Archive and Manifest Signatures in DNUP #51096
Description
#51093 describes the process of validating the .NET Archives and manifests by downloading the signatures off the web. That's a great start. The next step would be to include those signatures into the bundle of the executable itself, and to automate the process of updating those signatures when a new one is released. (Perhaps a bot of sorts. Please don't create technical debt and a new manual process for us to have to continually update the signatures...)
The 'self update' mechanism of dnup should be able to update that store of signatures as well and remove the old signatures.
The advantage of having a copy of these PEM or .sig Files (which are relatively small and shouldn't inflate the size of the executable to an extreme degree) is to speed up core scenarios and offline scenarios. We may want to save the signatures for content we verify for uncommon offline scenarios in a cache. (e.g. enterprise customer uses a specific pinned sdk version and must run in an isolated network.)
We shouldn't include the signature file for every single dotnet release as that would become unwieldy and bloat the size of the executable. Probably the signatures for the currently supported releases.