release: add release v1.0.3

[asraa]

This sets the expected sha256 of the v1.0.3 slsa-verifier released binary.

1. Download the binary and provenance from https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.0.3
2. Clone the slsa-verifier repo, compile and verify the provenance:

$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
$ (Optional: git checkout tags/v1.0.3)
$ go run ./cli/slsa-verifier -artifact-path slsa-verifier-linux-amd64 -provenance slsa-verifier-linux-amd64.intoto.jsonl -source github.com/slsa-framework/slsa-verifier -tag v1.0.3

3. Get the hash.
   Either:

cat slsa-verifier-linux-amd64.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.subject[0].digest.sha256'

or

sha256sum slsa-verifier-linux-amd64

The output hash should be the hash I'm updating to in this PR. If they match, LGTM. If they don't, someone tampered with the released binary and don't LGTM

Signed-off-by: Asra Ali asraa@google.com

[laurentsimon]

$ sha256sum tmp/slsa-verifier-linux-amd64
5da115ab7f90f3e8a8b30c74820b4b7dd032afebef7cd912be23acb9fbd37d0b  tmp/slsa-verifier-linux-amd64

$ cat tmp/slsa-verifier-linux-amd64.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.subject[0].digest.sha256'
5da115ab7f90f3e8a8b30c74820b4b7dd032afebef7cd912be23acb9fbd37d0b

 $ go run ./cli/slsa-verifier -artifact-path tmp/slsa-verifier-linux-amd64 -provenance tmp/slsa-verifier-linux-amd64.intoto.jsonl -source github.com/slsa-framework/slsa-verifier -tag v1.0.3
Verified signature against tlog entry index 3277515 at URL: https://rekor.sigstore.dev/api/v1/log/entries/2cf8ac7e31475c24c69b9270745155a10bb37c70848c4553b9d35c7d1e8b1573
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.0 at commit 6fb4f7e2dd9c2f5d4f55fa88f6796278a7bba6d6
PASSED: Verified SLSA provenance