Build provenance attestation for Windows

[jbcr]

Description

As part of our software security policy, we are looking to validate the authenticity of PHP Windows builds using Cosign.

Are there any public certificates or attestations available for these artifacts? This is a prerequisite for our next deployment phase, which involves systematic SBOM verification.

[Girgias]

@shivammathur is this something you are working on?

[shivammathur]

@Girgias Yes, this is on my backlog.