Offer verifyable cryptographic signature for checksum.txt

[mkesper]

What happened:

I checked the Releases page. No signature of the checksum file was found and no link to a way of checking its integrity.

What you expected to happen:

I expected to see some cryptographic signature to check the integrity of grype_version_checksums.txt.

Anything else we need to know?:

Please sign the checksum files via GPG and offer a reliable way to get the corresponding public key. Especially for security relevant software it's essential to have some way of checking for integrity. The checksums alone are not enough as an attacker could control the files offered as well as the checksum file.

[luhring]

This is a great idea, and it's something we've been talking about. The latest thought is to either use GPG or Sigstore. Regarding "what we sign", ideally we sign all release assets, in addition to the container images we publish to the registry.

[joshbressers]

Here is how cosign does this during the release build https://github.com/sigstore/cosign/blob/main/release/ko-sign-release-images.sh

It's very GCP centric, but could be a starting point