Release artifacts are not signed

[psschwei]

#SecuritySlam

What would you like to be added:

The project cryptographically signs release artifacts.

Why is this needed:

Signing artifacts would boost the security of the project. And since the CLOMonitor security score flags the project for not signing its artifacts, signing them would also make the score better.

Completion requirements:

These are the details from CLOMonitor around this task:

Signed-Releases OpenSSF Scorecard check

Score: 0 (check passes with score >= 1)

Reason: 0 out of 5 artifacts are signed or have provenance

Details:

Warn: release artifact v0.5.1 does not have provenance: https://api.github.com/repos/kubernetes-sigs/kueue/releases/131789880
Warn: release artifact v0.5.1 not signed: https://api.github.com/repos/kubernetes-sigs/kueue/releases/131789880
Warn: release artifact v0.5.0 does not have provenance: https://api.github.com/repos/kubernetes-sigs/kueue/releases/126674662
Warn: release artifact v0.5.0 not signed: https://api.github.com/repos/kubernetes-sigs/kueue/releases/126674662
Warn: release artifact v0.4.2 does not have provenance: https://api.github.com/repos/kubernetes-sigs/kueue/releases/124678930
Warn: release artifact v0.4.2 not signed: https://api.github.com/repos/kubernetes-sigs/kueue/releases/124678930
Warn: release artifact v0.4.1 does not have provenance: https://api.github.com/repos/kubernetes-sigs/kueue/releases/117224650
Warn: release artifact v0.4.1 not signed: https://api.github.com/repos/kubernetes-sigs/kueue/releases/117224650
Warn: release artifact v0.4.0 does not have provenance: https://api.github.com/repos/kubernetes-sigs/kueue/releases/111415075
Warn: release artifact v0.4.0 not signed: https://api.github.com/repos/kubernetes-sigs/kueue/releases/111415075

Please see the [check documentation](https://github.com/ossf/scorecard/blob/e1d3abc7fd2bdfe8819ac19b5c82815ea20890e6/docs/checks.md#signed-releases) in the ossf/scorecard repository for more details

[psschwei]

/sig release

[ArangoGutierrez]

/retitle Release artifacts are not signed

[ArangoGutierrez]

This is a result report of the #securitySlam cc @alculquicondor @tenzen-y

[alculquicondor]

Are there instructions on how to sign them?

[alculquicondor]

Found it https://wiki.debian.org/Creating%20signed%20GitHub%20releases

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[tenzen-y]

/lifecycle frozen