For certain artifact types in a release the PMC wishes to add Digital Signatures using approved and current services.
Currently ssl.com, but a google based one may be coming in the summer.
Please validate with Infra that the "Code Signing Service" documents are up to date.
For certain artifact types for certain channels it makes sense to make use of digital signatures other than GPG detached signatures.