Sign binaries for verification purposes

### Gloo Edge Product

Enterprise

### Gloo Edge Version

N/A

### Is your feature request related to a problem? Please describe.

FIPS CM-5(3) requires binaries to be signed.   Even without the requirement customers want a way to easily verify the provenance of the packages we create.

### Describe the solution you'd like

Ideally we modify our CI/CD pipelines to 
- verify provenance of external source code if possible
- build our images with the verified code
- add attestations; built from X, resolves CVE Y 
- sign our image
- generate provenance
- sign provenance
- gather images and helm package —sign

### Describe alternatives you've considered

We should at least publish a list of our images with their sha256 values and let the customer manually verify these.

### Additional Context

Referring to FIPS CM-5(3): Signed Components https://csf.tools/reference/nist-sp-800-53/r4/cm/cm-5/cm-5-3/
Pre-requisit for: https://github.com/solo-io/gloo/issues/5580

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sign binaries for verification purposes #10483

Gloo Edge Product

Gloo Edge Version

Is your feature request related to a problem? Please describe.

Describe the solution you'd like

Describe alternatives you've considered

Additional Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development