docs: adding SLSA verification steps for cpp-server-sdk

[rsoberano-ld]

Drafting up documentation for how consumers may use the SLSA framework to verify SDK packages published with provenance to improve supply chain security.

[rsoberano-ld]

Starting off with a single SDK for now. If this looks good I'll add this to the other SDK READMEs in this monorepo. Let me know if what we've got so far looks good, namely:

• Verification steps look reasonable and make sense
• Language is correct or if there are better ways to phrase things
• Placement in the README makes sense (didn't want it to show up before the getting started steps, since that's probably what most developers will want to read here)

[rsoberano-ld]

Appreciate all the feedback here @cwaldren-ld! Definitely valuable having the developer's perspective here, will make revisions and resubmit for review.

[rsoberano-ld]

I'm wondering if this should be in a dedicated file - say, existing SECURITY.md or PROVENANCE.md or something.

Mainly because it leans towards being a reference, rather than a quickstart like "run tool X on file Y", and our READMEs are already pretty dense.

I think this is a really fair point, we wouldn't want to detract from the main usage of the README with this large section (unless we're able to condense it down significantly). @mmrj, any suggestions on what might be an appropriate location for these instructions?

[mmrj]

I'm wondering if this should be in a dedicated file - say, existing SECURITY.md or PROVENANCE.md or something. Mainly because it leans towards being a reference, rather than a quickstart like "run tool X on file Y", and our READMEs are already pretty dense.

I think this is a really fair point, we wouldn't want to detract from the main usage of the README with this large section (unless we're able to condense it down significantly). @mmrj, any suggestions on what might be an appropriate location for these instructions?

The repo has an existing SECURITY.md, so maybe there? You could re-title that file to just "Security" and put the existing content in one header, and have the "Validating SDK packages" as a second header.