docs: adding SLSA verification steps to READMEs

[rsoberano-ld]

Requirements

• I have added test coverage for new or changed functionality
• I have followed the repository's pull request submission guidelines
• I have validated my changes against all supported platform versions

Describe the solution you've provided

Drafting up documentation for how consumers may use the SLSA framework to verify SDK packages published with provenance to improve supply chain security.

Describe alternatives you've considered

Provide a clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context about the pull request here.

[rsoberano-ld]

Starting off with a single SDK for now. If this looks good I'll add this to the other SDK READMEs in this monorepo. Let me know if what we've got so far looks good, namely:

• Verification steps look reasonable and make sense
• Language is correct or if there are better ways to phrase things
• Placement in the README makes sense (didn't want it to show up before the getting started steps, since that's probably what most developers will want to read here)

[kinyoklion]

@rsoberano-ld Did you intent to mark this ready for review?

[kinyoklion]

For this repo, as many packages have provenance, should we make a central markdown file and link to it from relevant readme files?

[rsoberano-ld]

For this repo, as many packages have provenance, should we make a central markdown file and link to it from relevant readme files?

That's a great idea, I'll update that today

[kinyoklion]

Commits are approved by LD maybe? Many commits are either made by contributors, or made by former employees.

A basic example from erlang: launchdarkly/erlang-server-sdk@v3.0.3...v3.0.4

[mmrj]

Couple of suggestions on how you might want to move this info around. Content LGTM.

[mmrj]

Suggested change

	LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) to help developers make their supply chain more secure by ensuring the authenticity of our published SDK packages. As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0/requirements), LaunchDarkly publishes provenance about our SDK package builds to NPM for distribution alongside our packages.
	LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) to help developers make their supply chain more secure by ensuring the authenticity of our published SDK packages. As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0/requirements), LaunchDarkly publishes provenance about our SDK package builds to npm for distribution alongside our packages.

should this be lowercase npm to match the paragraph below? I'm not sure if there's a case where it's all caps

[mmrj]

I saw that you're thinking of moving this info to the top-level SECURITY.md file in the cpp-sdk repo.

I think it could be nice for customers to always be able to find this info in the same place.

That means two options:

(a) move this info to the top-level SECURITY.md in this repo (could be okay, but maybe that means this info is too far from the package now? given that this repo has so many SDKs)

(b) reference this info in the top-level SECURITY.md file in this repo, but leave the details here.

If you go with (b), you could update this repo's SECURITY.md with something like: "Validating SDK packages with the SLSA framework / LaunchDarkly uses the SLSA framework to help developers make their supply chain more secure by ensuring the authenticity of our published SDK packages. As part of SLSA requirements for level 3 compliance, LaunchDarkly publishes provenance about our SDK package builds. To learn more, read the "Validating SDK packages" section in the package README." or similar.

[mmrj]

If you move this content all to SECURITY.md (option (a) above), then you might need sub-sections for each SDK package? Something like:

Suggested change

	The SLSA framework specifies some [recommendations for verifying build artifacts](https://slsa.dev/spec/v1.0/verifying-artifacts) in their documentation. For npm packages that are published with provenance, npm already [validates the authenticity of the package using Sigstore](https://docs.npmjs.com/generating-provenance-statements#about-npm-provenance). In addition to npm's validation, we recommend the following steps:
	- Ensure that the @launchdarkly/react-native-client-sdk version you're downloading was published with npm-verified provenance
	The SLSA framework specifies some [recommendations for verifying build artifacts](https://slsa.dev/spec/v1.0/verifying-artifacts) in their documentation. For npm packages that are published with provenance, npm already [validates the authenticity of the package using Sigstore](https://docs.npmjs.com/generating-provenance-statements#about-npm-provenance). In addition to npm's validation, we recommend several additional steps for each package.
	### Validating the React Native SDK package
	In addition to npm's recommendation, we recommend the following steps to validate the React Native SDK package:
	- Ensure that the @launchdarkly/react-native-client-sdk version you're downloading was published with npm-verified provenance

But not needed if this content is staying here.

[mmrj]

LGTM, added suggestions to bring the header edits from the C++ PR over to this one

[rsoberano-ld]

@kinyoklion how would the link to PROVENANCE.md work with npm? do I need to include a relative path here (../../../PROVENANCE.md), or specify the provenance file in the package.json for inclusion?

[rsoberano-ld]

FWIW the CONTRIBUTING.md link here doesn't seem to work: https://www.npmjs.com/package/@launchdarkly/js-server-sdk-common

[kinyoklion]

Yours should work fine. The relative path would work in github, but not NPM unfortunately.