release: release v1.3.0 of verifier

[asraa]

Signed-off-by: Asra Ali asraa@google.com

This sets the expected sha256 of the v1.3.0 slsa-verifier released binary.

1. Download the binary and provenance from https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.3.0
2. Clone the slsa-verifier repo, compile and verify the provenance:

$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
$ (Optional: git checkout tags/v1.3.0)
$ go run ./cli/slsa-verifier -artifact-path slsa-verifier-linux-amd64 -provenance slsa-verifier-linux-amd64.intoto.jsonl -source github.com/slsa-framework/slsa-verifier -tag v1.3.0

3. Get the hash.
   Either:

cat slsa-verifier-linux-amd64.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.subject[0].digest.sha256'

or

sha256sum slsa-verifier-linux-amd64

The output hash should be the hash I'm updating to in this PR. If they match, LGTM. If they don't, someone tampered with the released binary and don't LGTM

[laurentsimon]

go run ./cli/slsa-verifier -artifact-path tmp/slsa-verifier-linux-amd64 -provenance tmp/slsa-verifier-linux-amd64.intoto.jsonl -source github.com/slsa-framework/slsa-verifier -tag v1.3.0 -print-provenance | jq -r '.subject[0].digest.sha256'
Verified signature against tlog entry index 3189970 at URL: https://rekor.sigstore.dev/api/v1/log/entries/206071d5ca7a2346e4db4dcb19a648c7f13b4957e655f4382b735894059bd199
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.0 at commit 5bb13ef508b2b8ded49f9264d7712f1316830d10
PASSED: Verified SLSA provenance
1326430d044e8a9522c51e5f721e237b5f75acb6b4e518d129f669403cf7a79a

[laurentsimon]

Thanks!