[feature request] Generate GitHub Attestations #6350
Description
Package
None
Is your feature request related to a problem?
GitHub recently released a new feature that provides attestations that can be used to establish the provenance of build artifacts: docs.
Attesting the binaries produced in a build workflow allows use of the GitHub API or tools like the gh CLI to verify that a given file was produced from a build in the project's own CI workflows. This provides additional defence-in-depth for supply chain security in addition to code signing (not just who published it, but where did it come from?).
Right now however, this isn't useful for .nupkg files as the packages created by CI aren't binarily identical to those restore from NuGet.org as they are signed by Microsoft after they're published as part of the ingestion process (more details here).
What is the expected behavior?
.dll files are attested as part of the publish-packages workflow before dotnet pack.
Here's an example where we do this in Polly for our signed artifacts before we publish our NuGet packages: build.yml
This manifests in something like this.
Users can verify files from the NuGet packages came from CI like this: App-vNext/Polly#2647 (comment)
Which alternative solutions or features have you considered?
None.
Additional context
No response