Open Enclave SDK users can verify Windows SDK binaries are built from audited OSS code

[CodeMonkeyLeet]

A key reason to open source all of the Open Enclave code is to create transparency and trust that there is not subversive or flawed code running in the enclave. Consumers of the SDK need a way to verify that the binaries and libraries are actually built from the source code that is audited. This requires quite a few things:

• The SDK package (e.g. nuget on Windows) must be signed
• All libraries and binaries in the SDK must have a cryptographic hash (SHA-256) documented for it
  • For the Windows SDK specifically, PE binaries should be Authenticode signed, and we may also wish to distribute a .cat file signature for other files such as libraries that do not support embedded signatures.
• The version of the code for any drop of the SDK must be explicitly tagged so that the build can be exactly recreated.
• The exact versions of all the tools and library dependencies that go into building that SDK version must be documented.
  • Ideally, there is an automated script that will set up a clean build environment with all the dependency tools and library packages and execute the build with the expected build options.
  • Windows may need additional tooling to generate hashes over the build output (where Linux may rely on OpenSSL command line tools by default)

[CodeMonkeyLeet]

Triage: Not for v0.7.

[radhikaj]

@yakman2020 Please provide an update