review: doc: add SUPPLY-CHAIN.md

[ludvigch]

This PR adds documentation of the changes in #6016 as well as a short description on how to verify the attestations created during a release. I am a bit unsure if the manual verification process is relevant or if it suffices with the simpler method of using GitHub CLI to verify an attestation?

Addressing @monperrus suggestion

[algomaster99]

Thanks! I left some suggestions.

Do you know what this hash is for on rekor?

[algomaster99]

It is unclear where do I get .pem and .sig file for spoon artifact in order to verify using openssl. Could you list the steps for that here?

[ludvigch]

I tried replicating this part of the tutorial for some spoon artifacts, but the data structure differs from their examples.. I am unsure if this is because the tutorial is outdated or because of the attest-build-provenance action's usage of signatures.

On further thought, I think that the entry in sigstore/rekor might be a signature of the actual attestation rather than the artifact, that would also explain why the hashes differ as you mention in the previous comment.

My suggestion is that I remove the manual part and only provide examples of how to verify attestations using GitHub CLI, adding how to do it with a locally dowloaded attestation from the spoon repo.

[algomaster99]

On further thought, I think that the entry in sigstore/rekor might be a signature of the actual attestation rather than the artifact

entry is just the UUID so it simply a unique random number so it cannot be a signature.

I remove the manual part and only provide examples of how to verify attestations using GitHub CLI,

I am okay with it. :)

[ludvigch]

Updated the guide! :)

[algomaster99]

Looks good to me!

[algomaster99]

@I-Al-Istannen @monperrus ready for merge from my side