release: add release hash for v1.1.2 and v1.0.4

[asraa]

Signed-off-by: Asra Ali asraa@google.com

To verify these hashes, do the following for https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.1.2 and https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.0.4

1. Download the binary and provenance from https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.1.2 (or the other)
2. Clone the slsa-verifier repo, compile and verify the provenance:

$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
$  go run ./cli/slsa-verifier verify-artifact ~/Downloads/slsa-verifier-linux-amd64 --provenance-path ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag v1.1.2 --source-branch release/v1.1

3. Get the hash.
   Either:

cat slsa-verifier-linux-amd64.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.subject[0].digest.sha256'

or

sha256sum slsa-verifier-linux-amd64

[ianlewis]

Verified v1.1.2

ianlewis@ianlewis at 00:33:29+0000 (default)
tmp$ wget https://github.com/slsa-framework/slsa-verifier/releases/download/v1.1.2/slsa-verifier-linux-amd64
...
2022-10-04 00:33:41 (9.45 MB/s) - ‘slsa-verifier-linux-amd64’ saved [53648138/53648138]

ianlewis@ianlewis at 00:33:41+0000 (default)
tmp$ wget https://github.com/slsa-framework/slsa-verifier/releases/download/v1.1.2/slsa-verifier-linux-amd64.intoto.jsonl
...
2022-10-04 00:34:23 (6.91 MB/s) - ‘slsa-verifier-linux-amd64.intoto.jsonl’ saved [15060/15060]

ianlewis@ianlewis at 00:34:23+0000 (default)
tmp$ sha256sum slsa-verifier-linux-amd64
2c9225603186f227d01c12bf8b8815f42eb3d4e2a2de7945dd65e704de254d74  slsa-verifier-linux-amd64

ianlewis@ianlewis at 00:37:20+0000 exited 1 git:(main $%>) (default)
slsa-verifier$ go run ./cli/slsa-verifier verify-artifact ~/tmp/slsa-verifier-linux-amd64 --provenance-path ~/tmp/slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag v1.1.2 --source-branch release/v1.1
Verified signature against tlog entry index 4427949 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77afa081a2979f03dc1af813dd39c436ac97edda9024c68161b27a5804d0831eb9e
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.0 at commit 8ee45a7aeb0d892d393ca32bd50b594f54d042f3
PASSED: Verified SLSA provenance

Verified v1.0.4

ianlewis@ianlewis at 00:38:32+0000 exited 127 (default)
tmp$ wget https://github.com/slsa-framework/slsa-verifier/releases/download/v1.0.4/slsa-verifier-linux-amd64
...
2022-10-04 00:38:53 (17.6 MB/s) - ‘slsa-verifier-linux-amd64’ saved [53197506/53197506]

ianlewis@ianlewis at 00:38:53+0000 (default)
tmp$ wget https://github.com/slsa-framework/slsa-verifier/releases/download/v1.0.4/slsa-verifier-linux-amd64.intoto.jsonl
...
2022-10-04 00:39:21 (7.48 MB/s) - ‘slsa-verifier-linux-amd64.intoto.jsonl’ saved [15232/15232]

ianlewis@ianlewis at 00:39:21+0000 (default)
tmp$ sha256sum slsa-verifier-linux-amd64
49727307d44c408610316541795ffa501ea21b78061de4589ca88194c522a651  slsa-verifier-linux-amd64

ianlewis@ianlewis at 00:37:36+0000 git:(main $%>) (default)
slsa-verifier$ go run ./cli/slsa-verifier verify-artifact ~/tmp/slsa-verifier-linux-amd64 --provenance-path ~/tmp/slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag v1.0.4 --source-branch release/v1.0
Verified signature against tlog entry index 4437620 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a45edfa67887a3807a27056f26fe7036c534f0308b8b42c42413b9305aa25ccd3
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.0 at commit 191a3bd2bbe44218f09e018ede653572a54e7f30
PASSED: Verified SLSA provenance