Guidance on signing artifacts in language SDKs

[martinkuba]

The Collector is already signing released images using Sigstore. I think we want to do the same for language SDK releases in general.

I would like to start implementing this in the JavaScript SDK using the npm provenance feature, which is built-in to the npm package manager itself and makes it easy for users to verify how a published package was built.

I am looking for a guidance from the Security SIG on

• whether signing should be implemented by language SDKs
• minimum requirements (e.g. does the npm provenance feature fulfill what we are looking for)

[tylerbenson]

While Maven Central doesn't support sigstore/cosign like npm does, I did attempt to implement it for the java sdk repo: https://github.com/open-telemetry/opentelemetry-java/pull/6531

It would be nice if I could get validation for my approach from the Security SIG, or guidance on what I need to change.