SLSA attestation updates

[sgress454]

Goal

User story
As a Fleet user,
I want to have all Fleet binaries to have SLSA attestation
so that I know every binary I am using from Fleet has not been modified since being built.

Key result

1. It looks like we're generating attestations on some workflows that run between releases, causing a lot of extra noise on the attestations page. Definitely the attestations in generate-desktop-targets.yml can be locked down to just happen during a release, and possibly others.

2. The osqueryd and desktop app attestations for MacOS and Windows are only happening on the archive (zip) files, not the binaries themselves. We should attest the binaries in the archives so that users can verify the binaries on their hosts.

3. We're attesting the unsigned windows Orbit binary, but we need to do the signed one instead, as that's what hosts end up downloading

Context

• Product designer: @sgress454

Changes

Engineering

• Test plan is finalized
• Feature guide changes: TODO
• Database schema migrations: TODO
• Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Test plan

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. Engineer: Added comment to user story confirming successful completion of test plan.
2. QA: Added comment to user story confirming successful completion of test plan.

[noahtalerman]

@lukeheath I'd argue these follow ups are worth prioritizing. That way, we can say that users can attest all of fleetd:

• currently just Orbit on macOS and Linux
• currently just unsigned Orbit (not the base installer Fleet installs when Windows computers auto enroll to Fleet)

cc @sgress454

[lukeheath]

Original issue description:

A couple of follow-up tasks for SLSA attestation of Fleet release artifacts:

• It looks like we're generating attestations on some workflows that run between releases, causing a lot of extra noise on the attestations page. Definitely the attestations in generate-desktop-targets.yml can be locked down to just happen during a release, and possibly others.
• The osqueryd and desktop app attestations for MacOS and Windows are only happening on the archive (zip) files, not the binaries themselves. We should attest the binaries in the archives so that users can verify the binaries on their hosts.
• We're attesting the unsigned windows Orbit binary, but we need to do the signed one instead, as that's what hosts end up downloading

[lukeheath]

@sgress454 @sharon-fdm Please make sure all sections are populated (including test plan) before bringing for estimation. Thanks!