Describe the bug
The scan for signatures requires that the metadata is packaged with a specific filename in the release artifacts. However this check does not inspect the contents of any tar or zip files, leading to false negatives when the signatures are embedded in one of those.

Reproduction steps
Steps to reproduce the behavior:

This could happen if releases are packaged:

• Per platform, with binaries, signatures, and other metadata in a single tar per platform.
• One tar for all artifacts in the release.
• Separate tar for metadata from the released binaries.

Expected behavior
Encountered tar/tgz/zip files should be optionally downloaded and extracted to list contents before marking the check as failed.