BUG: High Signed-Releases score given to project that only signed releases long time ago

[diogoteles08]

Describe the bug
I've bumped into a case of a repository that have published some signed releases years ago, but all their last 10 releases are not signed. In this case, Scorecard is still granting a 8/10 score on Signed-Releases

Reproduction steps
Steps to reproduce the behavior:

1. Run the following command to run Scorecard on project github.com/AcademySoftwareFoundation/openexr

scorecard --repo=http://github.com/AcademySoftwareFoundation/openexr --checks=Signed-Releases --show-details --format=json | jq .

2. Note that the project scores 8/10 on Signed releases because of the signed artifacts of he releases v2.4.2, v2.5.2, v2.5.3 , but the current version of the project is v3.2.0, and there were several different releases between them.

Expected behavior
The score 8/10 is given to any project that signs their releases but don't emit a provenance. However, this check should consider mostly the most recents releases, not only old ones.

[spencerschrock]

Possible duplicate of #2169?

[raghavkaul]

The last release with any signing artifacts was v2.5.3, since then the releases are source code-only (only tar/zip files, which GitHub creates automatically), so we don't require them to be signed, since we implicitly trust GitHub/GitLab to zip correctly. Opened a PR to clarify this in our docs.

[diogoteles08]

Oh that makes sense, thanks for letting us know and creating the PR!