I am currently working for a contractor for the DoD. We are maintaining a project that uses CF installed as an application through WebSphere. We are currently going through a security checklist and being asked to provide evidence that the CF application has a digital signature. From what we can gather they are looking to see that the jar file installed into WebSphere is digitally signed. We have reached out to IBM, and have received a response that digital signatures are recognized by WebSphere.
Unfortunately, it seems that those that are looking for the evidence do not know much more than what the checklist requirement states. They cannot provide more details or expand on what they need. Any assistance or advice in this matter would be appreciated.