feat: add sigstore signing

[valoq]

The adds the sigstore signing process to the build and release of lf.

Sigstore provides open source tools and infrastructure to sign releases without using permanent signing keys. It can easily be integrated into the release process and is supported by github. The signatures are recorded in the Rekor transparency log with the release.

Adding -trimpath to the build also provides reproducible builds, so user can not only verify the binaries but also confirm that they were build using the source code from this repository.

The go ecosystem uses a very similar system for the source code infrastructure and package managers should already be covered by it. This adds the verification of the git releases for everyone who downloads the binaries from github directly.

[joelim-work]

Code signing is good for security, but I'm a bit hesitant to add a 3rd-party tool into the release workflow. Do you happen to know how widespread its use is, and also whether other similar applications use code signing at all on their binaries?

[valoq]

Code signing is good for security, but I'm a bit hesitant to add a 3rd-party tool into the release workflow. Do you happen to know how widespread its use is, and also whether other similar applications use code signing at all on their binaries?

sigstore is an official project of the Open Source Security Foundation which is part of the Linux Foundation. It was previously developed by Google and RedHat

There are quite a few ecosystems that are already using it, e.g. Kubernetes, npm and crates.io (Update: and even Homebrew uses it since 2024)
Github also provides part of the infrastructure that enable the integration into github actions. You can occasionally find sigstore signatures in github project releases as this signing method is starting to become more widespread.
So I think we are fine in regards to that dependency for the build :)

[valoq]

The build flag is now added by #2525