[RFE] Add supply chain provenance to Flatcar releases

[t-lo]

Current situation

While our supply chain security story is rather good we do not generate user-verifiable provenance (e.g. in accordance with https://slsa.dev/provenance/v0.2).

Impact

Users are unable to attest validity of origins (sources and dependencies) of our builds and releases.

Ideal future situation

Signed provenance is published in a user-digestable format with every release.

Implementation options

• Use package URLs and hashes from ebuilds and generate source package information
• record build time / scripts and ebuilds repos' git hashes / build instructions for reproducibility
• generate and store checksums of intermediate packages produced
• generate and store checksums of binary files shipped with each package (optionally, at build time)
• sign and publish provenance information with each build

[jepio]

Merged these PRs:

• [ ] https://github.com/flatcar-linux/scripts/pull/378
• [ ] https://github.com/flatcar-linux/coreos-overlay/pull/2027

Once releases happen through the container pipeline, /usr/share/SLSA will contain the required information.

[t-lo]

Released; resolving.