+ included in the signature container, if the signature format allows that.
+ The VNF or PNF provider creates a zip file consisting of the CSAR file with
+ .csar extension, signature and certificate files. The signature and
+ certificate files must be siblings of the CSAR file with extensions .cms
+ and .cert respectively.
+
+
+.. req::
+ :id: R-130206
+ :target: VNF or PNF CSAR PACKAGE
+ :keyword: MUST
+ :introduced: dublin
+
+ If the VNF or PNF CSAR Package utilizes Option 2 for package security, then
+ the complete CSAR file **MUST** contain a Digest (a.k.a. hash) for each of
+ the components of the VNF or PNF package. The table of hashes is included
+ in the package manifest file, which is signed with the VNF or PNF provider
+ private key. In addition, the VNF or PNF provider MUST include a signing
+ certificate that includes the VNF or PNF provider public key, following a
+ TOSCA pre-defined naming convention and located either at the root of the
+ archive or in a predefined location specified by the TOSCA.meta file with
+ the corresponding entry named "ETSI-Entry-Certificate".
+