Add SLSA provenance to your releases

[udf2457]

What would you like to be added?

Please add SLSA provenance to your releases.

It is easy to do on on Github:

https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-goreleaser
https://goreleaser.com/blog/slsa-generation-for-your-artifacts/#slsa-github-generator

Background info:
https://docs.sigstore.dev/signing/overview/

Why is this needed?

Improving robustness against supply-chain attacks.

[serathius]

Contributions are welcomed

[udf2457]

Any further consideration given to moving to goreleaser @serathius as mentioned in #13980 ?

Adding provenance is a piece of cake with goreleaser.

I'm not sure why your present release.yml is why it is like it is ? Perhaps it predates goreleaser ? But tweaking your present release.yml to add provenance could be a time-consuming endeavour (at least for me, because I'm not familiar with the random shell scripts you are calling out to).

[serathius]

Up to date release instructions are in https://github.com/etcd-io/etcd/blob/main/Documentation/contributor-guide/release.md

[udf2457]

Github announced this yesterday, so will need to compare it to the process originally linked to see if it makes it more straightforward to implement.

[ArkaSaha30]

Hello @serathius @udf2457 👋
I am interested to work on this issue

[udf2457]

Hi @ArkaSaha30

I am currently focused on some high-priority $work projects, so your offer of assistance is much appreciated @ArkaSaha30 😉

Hopefully when things quiet down a little at $work I will be able to return to this !

[serathius]

Before jumping into coding, please start from reading the etcd release documentation to understand our current process and please propose what changes need to be made to provide SLSA provenance.

[jmhbnz]

cc @idunbarh

[idunbarh]

👋 folks! I was talking with @jmhbnz at the etcd project booth at kubecon. I'm happy to contribute signing the etcd release and container images in the build process. Since the release is done locally, it doesn't make sense to generate SLSA attestations.

I'm primarily interested in contributing SBOM generation for this project, I'll create a separate issue to track that.

[jmhbnz]

👋 folks! I was talking with @jmhbnz at the etcd project booth at kubecon. I'm happy to contribute signing the etcd release and container images in the build process. Since the release is done locally, it doesn't make sense to generate SLSA attestations.

I'm primarily interested in contributing SBOM generation for this project, I'll create a separate issue to track that.

Thanks @idunbarh was great to chat in person. Letting you know we are also in discussions with Kubernetes sig-release folks about finally moving away from locally produced releases making further use of Kubernetes project infrastructure and well defined build processes. As part of that it would be great to enable provenance. We'll update this issue as we make progress 🙏🏻

[idunbarh]

Sounds good. I'm happy to create a PR knowing that things could change in the future.

I'm also happy to support SBOM, SLSA attestations, and signing if the maintainers decide to move to new infra and if needed.