[Security] Add canary statement

[cchexcode]

Feature Request

As an operating system, talos linux is a critical part of the system if used for production workloads. As that, it is important to verify the integrity of the system (and developers). With that being said, I suggest the following changes to increase security for this amazing piece of software.

Asset checksums

~~I suggest that we're adding checksums to the asset downloads on the release page. This can be used to verify that a downloaded file has not tampered with in transit. This is generally a best practice when downloading critical software and prevents a range of attacks that could compromise the asset.~~

Canary

In order to increase trust in Talos linux, I suggest that siderolabs adds a canary statement to verify that a release does not contain a backdoor or other types of desired malware. In the many countries, law enforcement can seize property (like Talos as IP) and modify / redistribute it with backdoors. They can require you to not speak out but can't require you to take certain actions (such as signing with a PGP key etc). Long story short, I think a critical piece of infrastructure such as an OS should provide a canary statement that no such incident took place. Wh0nix is such an example, providing a canary incl. recent headlines to prove it's recent.

[smira]

Most critical release assets are reproducible, so you can build it yourself from source and compare to the released assets. This provides better protection/trust than any other measures.

The reproducible assets are:

• kernel
• initramfs
• installer container
• imager container

Every other asset can be produced from the above.

[steverfrancis]

There are sha256sum.txt

sha512sum.txt published with every release - are those not the checksums you mean?

[cchexcode]

@steverfrancis yes correct - I must've missed these three times while looking through the list. Excellent!